The prevalence and proliferation of connected devices has undoubtedly improved efficiency in people’s lives, but the massive amounts of personal data required to operate such devices has raised numerous safety and security concerns. We spoke with Gerald Reddig, Nokia’s head of security marketing, and Daisy Su, Nokia’s connected device platform marketing manager, to gain a better understanding of what’s happening in the IoT security landscape, and what Nokia is doing to ensure that customers’ data stays safe.
ReadWrite: The Internet of Things provides new ways to use services that are reliant on data and providing a platform in the cloud. So we kind of know that end users are going to have issues around data security. How do we overcome the customer’s fears regarding security?
Gerald Reddig: One of the nice proof points for all of the initiatives that we started in Nokia has to do with the Mirai botnet attack — the biggest IoT attack ever.
This type of breach attacks internet or service providers; in the Mirai case, the service provider was hacked by IoT devices that were managed by neither the end user nor the manufacturer. This raised an important question in the IoT industry — should we secure the device itself or the data from the device, within the application server? The bottom line is that there is actually no single magic security bullet that can easily fix all the key IoT security issues. You need to attack the problem from different angles.
There are a range of different issues to consider in IoT security. The first is IoT network security, which protects and secures the DNS or connected devices to backend systems on the Internet. Then there’s IoT authentication, which provides the ability for users to penetrate the IoT device and the management of overseeing the device. The third is encryption, or putting data in transit between IoT edge devices and backend systems. IoT public key infrastructure (PKI) typically originates from service providers and ensures that the radio access network (RAN) system provides digital certificates and cryptographic lifecycle capabilities. The fifth and biggest industry topic right now is IoT security analytics, which is process of collecting, aggregating, and monitoring all of the data.
These top five IoT security pieces are on Nokia’s radar to help security become more proactive, rather than simply reactive. Nokia developed a security architecture for service providers and enterprises that helps to deploy the right balance between both proactive and reactive security.
RW: Where do devices fit into the security picture?
Daisy Su: When talking about security, we need to focus on end-to-end security, covering not only network connectivity and the applications in which the user data is being transported, but also the device itself. What we have learned and discovered is that many IoT devices behave similarly to mobile devices in terms of connecting to mobile networks, and we need to make sure that the device management lifecycle that we traditionally do for mobile is applied to the entire IoT as well. Here are a few common security questions related to mobile devices that are relevant to IoT:
- How do we authenticate devices to make sure that they have the correct identities and credentials to be allowed into the system without compromising the network?
- How do we apply access control to make sure that the right users and the right devices do only what they are supposed to do?
- How do we ensure that the data from the devices is transported through a secure channel onto mobile networks so that it cannot be compromised tampered with?
- How do we ensure data confidentiality, so that the intended receiver of the data is the only one who can read the data?
- How do we ensure that we know the status and the availability of all the devices connecting to this network?
We also need to be able to generate secure passwords and allow future locking and wiping for IoT devices if they are compromised. It is essential that we be able to apply security fixes remotely and to neutralize the IoT security threat when vulnerability is detected.
Many IoT developers today have not focused strongly enough on how to secure the devices and connectivity to the networks. They have a general understanding on how to secure devices from the Internet point of view, but securing them on a mobile network involves very different knowledge, experience, and learning. There are a lot of back doors in IoT that people just don’t know how to close. Nokia has solutions to help both IoT service providers and mobile network operators track down and actively secure the vulnerable devices before, during, and after the attacks. We also provide a way to access millions of network connected devices, secure them and apply software update and security patches remotely.
RW: What are some of the best practices, as we add millions of devices, in terms of deploying IoT networks?
DS: Managing network-connected devices starts with making sure that devices are certified according to industry standards and network operators’ specifications. At Nokia, we are helping service providers certify their mobile and IoT devices before on-boarding them to their network. For example, with our largest North American operators, we provide self-verification for device vendors to test their devices against the device protocols required. We also provide verification services for both network operators and device vendors to test and verify the devices with the end-to-end network use cases, making sure that they don’t compromise the network once they connect.
Once the device is certified, being able to connect the network to the proper on-boarding procedure is really important. The on-boarding procedure has to make sure that these devices are authorized and authenticated to connect to the network in real time.
But the complete device lifecycle management goes beyond certification and on-boarding. With Nokia Connected Device Platform, we can qualify the devices and detect new devices as soon as they attempt to connect to the network, thus authenticating and authorizing proper devices for access to the network. We can automatically and remotely activate, deactivate, and configure features and functionalities for the devices based on triggered policies and mobile network requirements. We can also provide maintenance functions, and identify and manage the flaws with the devices. Additionally, we can efficiently apply the most recent software and firmware updates onto millions of network-connected devices remotely.
When devices need security updates, these can be burdensome tasks, but we at Nokia can provide and support security updates for the mobile service provider. With IoT, there are multiple device models and that are flooding the network, each of which supports multiple OS versions; every security update must be unique to a specific device model’s specific OS system.
So with millions of IoT devices connected to multiple networks, you have to figure out a way to update devices in the least amount of time and effort possible. You need a dynamic system to enable you to organize, analyze, and apply that firmware. At Nokia, we have successfully updated the security of more than 300 million mobile devices.
GR: What Daisy just described is incident prevention, incident detection, and incident mitigation. The second part, incident detection, is where the service providers play an important role with sophisticated machine learning analytics software. All of these big data techniques provide more predictive modeling for anomaly detection.
RW: There are a lot of solutions out there, and Nokia has it’s own as well, but what’s unique about how you’re addressing attack prevention?
GR: Our end-to-end security portfolio, which is called Netguard Security, makes it simpler by cutting the security issue into three main blocks. Block one is endpoint security, which involves the encryption and authentication of end points and the detection of traffic anomalies. The second block is network security — the most essential part and probably, from the market revenue perspective, the most relevant because it covers the perimeter protection against external attacks. Block three is security management, which helps reduce the response time of security teams and even automate parts of mitigation processes.
Let’s use the Mirai botnet attack again as an example. Our threat intelligence center alerted our customer by providing guidance on how to react and implement new security policies, though in many of our networks, Mirai was not present at all. Still, we made sure that our customer was prepared in case they were attacked — that’s a critical part of security prevention. This kind of threat intelligence helps all customers implement preventative security, and with the even more sophisticated attacks we see on the cybersecurity horizon, you can’t be too prepared.
RW: Is there a different approach for enterprise? How is Nokia dealing with this target?
GR: What comes to mind is my recent conversations with some enterprises at one of the trade shows in the critical communication world in Hong Kong — the question I always get is how I can make sure that the convergence that happens between information technology and operations technology does not create a disaster precipitated by a hacker attack. The typical nightmare scenario for all security people working in the utility industry is that someone could hack into the IT system and get across to the OT. We have also recently seen attacks involving advanced persistent threats, like in Ukraine, where hackers gained access to the power grid system and denied thousands of people electricity for a few days.
The critical question is not that there is a big difference between SP service providers and enterprises, but rather how to reduce the pain of the volume and the velocity of security data alerts. More than 90 percent of enterprises receive more than 150,000 security alerts a year. With only a small team, there’s no way to look to all of the alerts; our research found was that only 30 percent of security alerts are investigated.
This makes today’s technology landscape fertile ground for hackers. Target Inc., for example, has been hacked, and the hackers lurked inside the company’s network for months before they started exfiltrating the actual credit card data. Hackers are masters at waiting until the prime opportunity to strike presents itself; the average dwell time, the time that threat actors lingers in a victim’s environment until they are detected, in cyberspace is 146 days. Today, we know that hackers are beginning to compromise low-value assets capture the big fish — the high value assets. We must make the dwell time harder and shorter to make hacking itself harder. This requires new security management to reduce the alert noise and focus on the real threats.
Finally, we must shorten the time between detection and remediation. And that’s what Nokia developed. Our NetGuard security management centers are easy-to-use security operations, analytics, and reporting software solutions that enable operators to prevent, pinpoint, and address security threats before they result in breaches. It shrinks detection time by 80 percent, and accelerates recovery time by 75 percent and investigation time by more than 50 percent.
DS: Securely on-boarding network-connected devices is essential, regardless of whether the IoT devices are provided by the service provider or enterprise. If the IoT devices provided by the enterprise need to connect to the mobile network, the same device lifecycle management procedures described earlier are applicable onto all those enterprise IoT devices as well.
RW: What is the killer app for security on the horizon?
GR: That question makes it seem like there is a one-size-fits-all solution, but such a solution probably doesn’t exist. The same applies for cloud security and for smartphone security. Whenever we talk about security, all of the products and interlocking interfaces should be integrated so that we have a cohesive end-to-end solution that provides all of the unique capabilities help for our customers to address the evolving security threat. And that happens for mobile broadband, for IoT, for cloud, or for whatever the technological disruptions are prevalent at the time.
I’ve never heard of a killer app, but I think the right structure and strategy means from professional security to investigate where security holes exist, the right mix of security hardware and software deployments to prevent and detect security threats, and a mitigation system with a rapid response automation is essential. All three of those things help keep the balance between proactive and reactive security. Still, even that solution doesn’t work for everyone.
RW: I kind of asked that question knowing that the answer was going to be no, but I wanted to know anyway.
DS: Basically, security is the job of everyone — the users, the software, every single network element, every device on the network, everything.
This article was produced in partnership with Nokia.