The fundamentals of secure IoT connectivity

Friday, January 26, 2018

The rise of the internet of things (IoT) is just as unstoppable as it is exponential. Consultancy Gartner forecasts the number of IoT units to reach 11bn this year and 20.5bn in 2020. The Mexican IoT market alone is expected to reach US$4bn by 2020.

Nonetheless, security threats grow in tandem with the internet or things, as every connected device represents an potential risk.

Carlos Romero, head of business innovation for Latin America at Dutch digital security firm Gemalto, spoke to BNamericas about the main security risks companies face when using connected devices. The executive also shared some precautions his firm recommends while using IoT applications to prevent malicious attacks.

BNamericas: Which sectors in Latin American do you see using IoT solutions the most?

Romero: Even though the concept of IoT is relatively new, we've been working on wireless device connectivity for several years now with sectors such as banking.

The IoT is developing faster in some markets such as vehicle and fleet tracking, payment terminals, which are growing quite fast in the region, mobile banking apps, and industrial telemetry. The number of devices that fall into this scheme has increased considerably in the latter.

BNamericas: What are the IoT security needs of your clients?

Romero: Security needs depend on how aware companies in each sector are of the existing risks.

Some sectors such as banking, for whom security is critical, and connected cars, a new field in the automotive industry, are quite conscious and thus have paid close attention to the subject.

Other industries are not as exposed to risks. Some are not fully aware of the possibility of an critical incident and for others a breach would not be a severe event.

The main requirement our clients have tends to be protecting information by enabling devices to send encrypted data. Information from a device is encrypted and sent to a server, where it is later deciphered.

Other clients require the ability to authenticate their devices, which is a more specific task. This entails recognizing the devices connected to a network.

A third requirement involves security in commercial networks, but this has become inherent to connectivity. That is, devices using commercial networks are automatically authenticated, sometimes more than once, when they connect to IP, 3G, or other networks.

There are more specific and sophisticated projects, such as the ones we have done in the connected vehicles segment.

BNamericas: What are the main risks companies should consider when implementing IoT technology?

Romero: There are different levels to what can be at risk or exposed when a device is connected and what you can do to protect yourself. This will vary depending on each industry.

When a device works with critical information, the main risk is for someone else to gain access to said information. The best way to approach this is by encrypting the data.

The second risk consist of having a device hacked or someone could also clone the device's operation. For instance, the information a server receives may not come from the company's IP camera but from an apocryphal device usurping the camera's identity.

This is an authentication risk. When a device is not authenticated properly, this can be hacked, cloned, or tricked into "thinking" that it's receiving information from the server it's connected to.

A third risk is more on the server side. An attack on the server could result in services going down, thus affecting the operation of connected machines.

BNamericas: What does Gemalto recommend to ensure security in IoT devices?

Romero: The main thing to consider in IoT or any other scheme is that security must be addressed from the design stage.

It is way more complicated to add a security component when the design is already completed.

A good example would be the work we have done with mobile networks, as we work with the entities that define these networks. In these cases, the security components are introduced in their design. Gemalto not only works on the devices' connectivity component, but also on the elements that enable communication in the devices. Here we also collaborate with the manufacturers in designing the devices.

Our main recommendation is to add the elements needed to authenticate the devices in the networks and to encrypt information from the earliest stages. This will ensure secure connectivity that covers data downloads and the devices' framework, which may include software and digital systems.

There are also some security elements to consider when adding user access components to IoT schemes.

About Carlos Romero

Carlos Romero has worked in the smart card industry for over 16 years, covering several areas such as manufacturing, software services, and marketing and innovation.

His current post at Gemalto involves working with mobile network operators and banks to create added value services leveraging on technologies such as embedded SIM, the IoT, m-payments, near field communication, and LTE networks.