IoT security is about securing IoT devices and the platforms and networks to which they are connected. The connectivity can be the weakest link. Many IoT devices are vulnerable to attacks because they are simple in design without extensive security features. In addition, many IoT devices are “headless,” lacking screens and not monitored by humans, making detecting attacks more difficult. IoT connectivity management platforms, such as the Enea Aptilo IoT Connectivity Control Service (IoT CCS), are also very attractive targets for hackers as they are at the heart of the IoT service, handling all signaling and traffic.
It is imperative to implement state-of-the-art IoT security to protect devices and platforms. Let’s explore some of the attacks that you may expect.
PROTECTING IOT DEVICES
Examples of potential attacks from which the IoT security solution should protect IoT devices.
IoT is quickly becoming a victim of its own success. Planting malware in IoT devices is becoming more and more attractive for hackers, although not prevalent today.
The ROI in taking advantage of a software vulnerability or security flaw in an IoT device may not be great because there are so many custom-developed software systems out there. At the same time, custom-developed software may introduce bugs that wouldn’t be present in general-purpose components making the IoT device an easy target.
Denial-Of-Service (DOS) Attacks
An attacker can send massive traffic from different sources to a device and thus conduct a DoS attack. Many IoT devices are designed to take care of minimal traffic, which facilitates such an attack.
PROTECTING IOT PLATFORMS
Examples of potential attacks from which the IoT security solution should protect IoT platforms.
Just like the IoT devices, IoT platforms may have vulnerabilities in their software. One of the weakest spots is data transfer to and from the platform. So, IoT security solutions must consider typical API and SQL attacks.
Scanning for unused services in an IoT platform and exploiting vulnerabilities is a popular method. The remedy is as simple as evident. Close all open ports that are not needed. The platform should also disable any unnecessary services or, if possible, remove them from the system.
Provoke and trigger programming errors in the software. The goal can be to find vulnerabilities or simply cause disruption. Examples of methods include the use of extremely long fields, the use of invalid/unusual data, or deliberate protocol anomalies.
Denial-Of-Service Attacks (DoS)
Denial-of-service attacks (DoS) could come via externally facing interfaces. But, also from many malfunctioning IoT devices that, for instance, are causing a cyclic registration.
IoT Security in Enea Aptilo IoT CCS
With Enea Aptilo IoT Connectivity Control Service (IoT CSS), mobile operators will get a best-of-breed solution for IoT connectivity management and IoT security. We have based IoT CCS on our IoT connectivity platform, Enea Aptilo SMP, which is widely used for multi-purpose management of user and device identification, policy, charging, provisioning, and user notifications and engagement. The Enea Aptilo SMP has been deployed with 100+ operators or cloud installations worldwide to manage services on 3GPP and non-3GPP networks (primarily Wi-Fi). The platform is deployed for and supports standard 3GPP AAA Server and 3GPP Policy functions in the mobile core, Wi-Fi Calling, and Mobile Data Offloading deployments.
For IoT security in IoT CCS, Enea has chosen to partner with Fortinet, one of the top three cybersecurity companies in the world. They provide the underlying packet core platform for the data plane (VPN + Firewalling), based on Fortinet’s FortiGate next-generation firewall product portfolio.
IoT CCS is inherently secure by extending the enterprise perimeter with a secure SD-WAN functionality. Enterprises do not have to make their own investments to secure their IoT devices and applications. They can also include selected partner networks in the SD-WAN for improved IoT security.
With IoT CCS, mobile operators can offer managed IoT security to their customers:
- An extra layer of authentication of devices, controlled by the end customer.
- Policy enforcement at the edge.
- VPN management.
- Policy-based IP assignment and routing.
- Set specific policies per Enterprise and device and group of devices.
- Device traffic filtering; source/destination IP, Protocol, Ports, etc.
- Customers can quarantine suspicious devices.
- Intrusion prevention.
- Protection against denial-of-service attacks (DoS).
- Limitation of data usage per device, number of TCP connections, etc.
- URL Lock: Filter traffic so that it only can go to certain destinations.
- APN Lock: Prevents SIM hijacking. Each device authenticates to APN with individual username /password.
- IMEI Lock: A SIM can only be used in a specific device.
- Location lock: The use of a SIM is only possible where you want it to be used.
Detection of traffic anomalies and antivirus is also part of the possible security protection in this tight integration between Aptilo’s policy control platform and FortiGate nodes.
Most mobile core deployments have some kind of firewall capability. But with IoT CCS, mobile operators can go beyond that general rudimentary security and provide each of their enterprise customers with their own state-of-the-art firewall protection.
Mobile operators can offer their customers flexible self-managed IoT security with the ability to steer selected traffic through private connections (Private APN) or directly to the Internet while protected by FortiGate next-generation Firewalls. Note that each customer can have their specific IoT security.
The IoT CCS Multitenancy Private APN, the ability to automate the provisioning of Enterprise VPNs for each business customer, further enhances the overall IoT security. Mobile operators will be able to afford to offer APN+VPN to more customers. The FortiGate firewalls also protect smaller customers unable to handle VPNs on their side.
More cybersecurity available within Enea:
Enea offers a range of cybersecurity solutions, including the award-winning Qosmos ixEngine. It is trusted by leading cybersecurity vendors to deliver the granular, real-time network traffic intelligence needed for early detection of breaches, threats, and suspicious behavior and to support advanced analytics for security orchestration and automation.
Through the acquisition of AdaptiveMobile Security Ltd, we have added software and services for messaging and signaling security in mobile core networks to the Enea family.