Empowering Security in the CSP’s IoT Infrastructure and Services

By Simon Bryden | May 15, 2018

CSPs are well-positioned to benefit from the continuing growth of Internet of Things (IoT) devices and related systems—but only as long as the infrastructure can support some IoT-specific challenges, including of course security.

Unlike the mobile device world, these infrastructures typically combine vast numbers of low-cost devices transmitting small amounts of data at a low bandwidth. Devices can be widely dispersed in terms of geography. They can be difficult to physically manage or update, and they can also reside in hard to reach or unusual places (e.g., buried deep underground or on top of a mountain). Finally, devices are often very constrained in terms of cost or resources, which may make it difficult to integrate the same strong security features which are commonplace in traditional environments.

Let us start by examining a few use cases of IoT to better understand the issues:

Smart Cities are an exciting new prospect, and are enabled in many ways by IoT. Such developments involve a wide range of connected functions, ranging from parking aids to critical functions such as energy management, water supply, and public safety.

Critical infrastructure protection is a related (and overlapping) use case, as industrial networks begin looking at the benefits of moving from legacy protocols to an IoT approach.

The smart city case serves as a good example of how diverse IoT applications can be: A parking space occupation sensor may only need to transmit a single empty/occupied indication several times a day, whereas CCTV systems may be transmitting constant high-bandwidth streams.

In addition to bandwidth variations, the criticality of the data is also variable. If parking space data is compromised, the consequences are not so bad. If the electricity distribution is compromised, the potential dangers could be life threatening.

So all is not equal in the world of IoT.

Smart vehicles are also a high-growth area. This infrastructure must include or anticipate security for everything from navigation systems and infotainment, to in-car Wi-Fi, to insurance telematics, and ultimately to autonomous self-driving vehicles. A particularly interesting area of development is vehicle to everything (V2X), which covers a range of communications between a vehicle and other entities:

·      Vehicle to Vehicle (V2V) for collision avoidance safety systems

·      Vehicle to Infrastructure (V2I) such as traffic signal timing/priority

·      Vehicle to Pedestrian (V2P) for safety alerts to pedestrians and cyclists

·      Vehicle to Network (V2N) for real time traffic/routing updates and cloud services

In smart vehicles, security is clearly a very high priority, especially with the recent high-profile hacks on connected vehicle systems, where security researchers hijacked critical systems in Jeep and Tesla vehicles (both of which have since been patched by the manufacturers).

Securing real-time data analytics can be a critical aspect of IoT systems. Smart logistics encompasses shipping of goods across all modes of transport—from cargo ships and containers to individual packages traveling via air or ground transport. Smart logistics infrastructures may operate across continents to enable:

·      Fleet management

·      Route optimization

·      Payload/parcel tracking

·      Cold chain management

·      Fuel management

Healthcare is an area of intense interest—not just to solution innovators but to cyber criminals as well. Smart medical infrastructures help relieve some of the burdens of patient monitoring from healthcare institutions. Specific use cases include elderly care, connected pacemakers, and portable patient monitors. At-home or remote patient monitoring is designed to reduce facility overcrowding and costs while improving quality of care. Securing these infrastructures comes with a particularly high level of scrutiny, due to strict compliance requirements to ensure the privacy of patient data, and again the need for security goes without saying.

The Smart home market is growing fast and includes a wide range of devices, such as thermostats, smart lighting, home security systems, video systems, smart coffee machines, and washing machines. These consumer-grade IoT devices are largely what give IoT its reputation as lacking basic security. This is mainly due to the high competition and low margins in the consumer space, which leaves little investment available for security. And indeed, it was exactly these kinds of devices (home cameras and DVRs) which were infected by the Mirai botnet in 2017. This caused the biggest ever recorded DoS attack, as well as secondary attacks on DNS provider Dyn, which caused outages in major internet platforms such as Amazon, Netflix, and PayPal.

Home IoT devices also open up new possibilities for novel attacks such as service disruption ransomware (pay to get heating restored, or TV unblocked), blackmail ransomware (pay to avoid camera footage being published), or theft (disabling weak home security).

In summary, the IoT market is very broad and the requirements, in terms of bandwidth, response times, and of course security vary widely from one application to another. So an IoT system must be built with a flexible and adaptable architecture.

Today’s IoT Architecture

The diagram above shows a typical IoT architecture. At the bottom are the devices which may be connected using a direct IP connection (wired or Wi-Fi), or a local wireless connection such as Zigbee to an IP gateway device. If local Internet connectivity is not available, then cellular technologies can be used, including a range of new IoT-focused categories such as NB-IoT, or one of the new ultra-low bandwidth WAN technologies such as LoRaWAN. The data may or may not traverse the public Internet.

The device provisioning and management is performed by the IoT service layer, where many functions may be provided including device identity management, authentication and authorization, data storage, and analytics. There are currently more than 400 IoT service platforms available on the market, each offering a wide range of services.

Finally, the application layer is where the data is presented to the end user, and where devices can be managed and controlled. This layer is where the end customer experiences the benefit of the IoT, where analytic output may be reduced to clear indications or recommendations, and where automation can be used to take actions based on inputs from the sensors in the network.

For the CSP, the main business is traditionally in the access network layer. However, with the bandwidth patterns of constrained IoT devices, a bandwidth-based business model is going to struggle to be profitable. CSPs need a new business model, and the most logical place to add value is at the IoT service layer. Building an IoT Service function allows a CSP to differentiate itself by offering a range of value-added services, including security functions. This also gives it control over the devices (rather than simply the device data), allowing a higher level of protection of its own infrastructure.

Fortinet already has a lot of experience protecting CSP infrastructure, with highly scalable core network solutions for the security gateway, signaling protection, and Gi firewalling. For MSSPs we also offer a wide range of low-end CPE devices.

With an evolving set of features specifically focused on IoT such as detection and control of IoT protocols, detection of IoT devices, and rate limiting of messages and signaling, Fortinet has all the tools necessary to protect an IoT network.

And with the Fortinet Security Fabric, the overhead of managing such complex and diverse networks is minimized. An integrated security solution that provides visibility across the entire infrastructure is the best approach to keeping IoT infrastructures safe from increasingly sophisticated and intelligent  cyber attacks, and it can be the key to help CSPs add meaningful value—and revenue—to that customer relationship.

Read more to learn about three security service models that can help increase revenue and provide more ways to find new revenue opportunities. Also, learn how a security fabric approach improves business efficiencies and can empower IoT infrastructure and services.