Business & Technology

How CSPs Can Secure a Network of IoT Devices

By Simon Bryden | February 25, 2019

Across industry after industry, Internet of Things (IoT) devices are transforming operations, and communication service providers (CSPs) are helping companies deploy and utilize these technologies. That raises new security concerns for service providers.

In manufacturing, the Industrial IoT (IIoT) automates both the querying of sensors in equipment and safety systems, and the analysis of that information to improve operational efficiency. The data generated is stored, aggregated, and analyzed to provide real-time insight and action.

Smart logistics devices provide data on the position of vehicles and parcels, enabling transportation and logistics companies to optimize route planning and the efficiency of activities such as cold chain planning for refrigerated items. For the customers awaiting deliveries, radio-frequency identification (RFID) tags and similar devices can enable precise parcel tracking. Smart medical devices that are available today enable medical professionals to remotely monitor patients’ health indicators. Meanwhile, smart vehicles in development are being designed to communicate with other vehicles, with the transportation infrastructure, and even with pedestrians—significantly enhancing vehicular safety.  

IoT networks, connectivity, and services often represent a departure from CSPs’ typical services. Consider the type of communications infrastructure an agricultural business needs for its network of IoT soil monitors. It might have a huge number of devices spread out over numerous fields, each requiring only minimal bandwidth to communicate soil readings and have a very strict power consumption limitation. It might be a good fit for a specialized connectivity service, such as Cat-M1 or narrowband IoT (NB-IoT), that targets low-bandwidth and low-power communications. Other options may be LoraWAN or SigFox, that target ultra-low-bandwidth wide-area communications.

CSPs looking to compete in the IoT space are increasingly offering more than just specialized connectivity. Some are developing complete multi-tenant cloud platforms that store and analyze IoT devices’ data, and give customers access to those insights.

IoT Security Is a Significant Concern

Any CSP supporting IoT connectivity needs to pay close attention to the security risk IoT holds. IoT hardware is lean by design. Thus, these devices are constrained in terms of CPU, memory, persistent storage, and network bandwidth. Often, security is not included. Worse, the plethora of competing IoT standards organizations make it challenging to interconnect devices, which may undermine whatever internal security the devices include.

The challenges are compounded when IoT devices are geographically dispersed. They may be located in public places that are difficult to secure physically. They may even be installed in places that are tough to access, such as far-flung corners of remote, muddy fields.

Ultimately, an IoT infrastructure may consist of an extremely large number of inherently insecure devices. The network’s aggregation points need to be shored up with signaling security, authentication protocols, and tunnel termination. A particular concern is the possibility that malfunctioning or compromised IoT devices might overload the signaling infrastructure. For example, if millions of devices began continuously reconnecting because of a bad software update, the effect on the mobile network would be the same as in an intentional denial-of-service (DoS) attack.

Security needs to be a top priority for CSPs offering IoT-related services, whose customers may be unaware of the risks. When an operator provides devices as part of a package, liability in the event of a problem is a legal gray area. Operators must take proactive steps to keep customers’ devices and data safe.

How to Secure a Network of IoT Devices

Because of IoT devices’ vulnerabilities, security needs to be provided at the network and IoT platform layers. CSPs should utilize next-generation firewalls (NGFWs) that can scale up to protect a network with many devices and that offer encryption at scale. A CSP’s NGFWs should provide advanced IPsec/TLS capabilities, enabling them to terminate encrypted tunnels to ensure the integrity and privacy of IoT data. Support for multi-tenancy and micro-segmentation allows a CSP to prevent a problem with one group of IoT devices from affecting the provider’s entire network. And NGFWs with mobile core protection can offer inspection and rate-limiting of IoT sessions, so that the CSP can contain signaling storms created by malfunctioning or compromised devices.

Intrusion prevention system (IPS) capabilities in an NGFW help a CSP detect attacks by looking for both known signatures and anomalous behavior by IoT devices. Application control support enables operators to ensure that only IoT devices with authorized protocols are permitted. In some cases, pairing the NGFW with a network access control device allows for device identification, providing access to the appropriate network segments based on the identified device type. It will also help ensure that unknown IoT hardware is denied access. Additionally, it provides continuous monitoring to detect devices being compromised or even switched out during use.

Other capabilities that are crucial to a CSP’s ability to secure an IoT cloud platform include sandboxing, for advanced threat detection and protection, and a web application firewall with behavioral and machine learning-based security for web applications. An application delivery controller can optimize the performance and availability of IoT platform web applications that serve as the customer interface.

These features all help secure a network of IoT devices. Deploying them as a tightly integrated platform, rather than isolated point solutions, gives a CSP a true competitive advantage. When Fortinet and third-party products integrate into the Fortinet Security Fabric, they can share information in real time, so that security solutions respond to perceived threats faster and in a more coordinated manner. It also provides a significantly lower total cost of ownership (TCO) than running disparate point solutions.[1]

Join Us to Learn More

Learn more by visiting the Fortinet booth—booth 31, hall 7—at the Mobile World Congress from February 25–28, 2019. Experts will be on hand to discuss how Fortinet solutions can help a CSP secure IoT offerings.

For more on our presence at the Mobile World Congress, visit: fortinet-mwc.com.

Find out more about how integrating the Fortinet Security Fabric can help enable digital transformation while improving ROI.

Learn more about Fortinet's 5G security solutions.

[1] Zeus Kerravala, “How to Enable Digital Transformation and Improve ROI with Fortinet Security Fabric,” ZK Research, October 2017.