"Complacent" companies need to wake up to IoT security, Vodafone urges

Features

Companies are "complacent" about IoT security threats, with more than half not testing for vulnerabilities before and after deployment, Vodafone's Director of IoT Erik Brenneis has said.

The UK-based operator’s annual IoT Barometer report reveals companies across the board are happy to place security down their list of priorities.

Only seven percent of companies with more than 10,000 connected devices say safeguarding their networks is their top concern.

More worrying is the statistic that only 37 percent of adopters are testing the security of their IoT network as they are building it, a figure Vodafone notes should be higher. Even when the network is live, only 40 percent of adopters are actively checking for vulnerabilities.

Another concern is that only 27 percent of respondents say they separate their IoT network from other systems, a statistic Vodafone describes as "worrying".

When asked whether he feels there is too much complacency about the risks facing IoT networks, Brenneis tells Mobile Europe: "I think that's definitely true… we would always recommend a customer to test during the development and also test the running system. We help them to do that.

"I think the awareness about what needs to happen to have a system that's as secure as possible needs to still grow."

He says security is akin to personal health. While it's likely you will catch a cold, you can take steps to avoid it, whether it's a healthy diet, getting enough sleep and/or staying fit.

Similarly, while IoT breaches are inevitable, there are plenty of actions one can take to defend against them.

Brenneis notes things have got better from when the IoT was in its infancy. He says: "Historically a lot of the security incidents happened with people who just put a standard SIM card, without any IoT system around it, into a car [for example]. This standard SIM card would have a telephone number so just by phoning it you could open a data line and send commands to the telematic box.

"Our IoT system by definition is a closed system so anyone of our SIMs from our service delivery platform can't be addressed from outside. You also need authentication mechanisms.

The data connection is a private VPN tunnel that we monitor whether somebody tries to get inside and so on."

However, if a company is picking and choosing from a range of partners to build their network, the buck stops with them. Brenneis says: "The awareness has grown and the sheer fact companies have nominated responsible people in their organisations as chief security officers and they are putting effort into this gives me confidence they can address this better in the future."

Another problem, especially in Europe, is getting the skills to fix any holes in a ropey network. Asia leads the way with 83 percent of surveyed companies saying they have the skills to deal with threats, considerably ahead of European respondents at 70 percent.

Explaining the disparity, Brenneis says: "From my knowledge of Asia, there's a lot of software engineers coming from university so that there is more of a surplus of skills than we have in Europe. Especially in Germany, with its strong industrial base, we have a shortage of software resources at the moment."

Even so, the skills of respondents' security teams are only assessed as "adequate", which may not strike their network's customers with confidence; after all, one wouldn't invest their savings in a bank with "adequate" security.

But there are signs that companies with IoT networks are keen to change this. Last year, 42 percent said they were training staff up in security skills, a figure that sits at 48 percent today. More IoT adopters are also employing security specialists, up from 41 percent 12 months ago to 46 percent in 2017.

Vodafone's IoT Barometer is now in its fifth year and shows that while the technology is becoming ever more prevalent, the increase in the number of new companies adopting it has slowed over the past two years.

[Read more: Vodafone’s annual IoT Barometer points to a lull in the storm]

Brenneis thinks new technologies, notably NB-IoT, which Vodafone has been an enthusiastic early backer of via deployments in Ireland and Spain, can lead a new wave of adoption.

The Barometer found 55 percent of organisations are investigating NB-IoT for their networks, compared to 52 percent looking into LTE-M, and 47 percent examining LoRa or Sigfox. A tight market, but one Brenneis puts down to NB-IoT's comparatively late entry into the space last year.

However, he predicts the years ahead will see the technology stretch its lead. He says: "NB-IoT is a global standard, just like 2G, 3G, LTE, 5G and LTE-Cat 1 [LTE-M]. As the technology matures, the hardware prices will go down sharply as there will be higher volumes.

"This in turn will lead to ubiquitous networks. For example, we can switch on our base stations through software updates for narrowband-IoT to add more and more connections to get on this technology."

He says NB-IoT's standardised nature will lead to it meeting the need for long battery lives and reliable communication. LTE-M will satisfy the itch for high data rates.

He delves into his past when describing why Vodafone was never keen on the unlicensed LoRa. When Brenneis was at metering company Landis+Gyr, he was involved in a project using unlicensed spectrum to connect meters. What he didn't realise was that nearby car alarms were using the same frequency, triggering a cacophony of honking.

A cautionary tale about the disadvantages of using unlicensed spectrum and why security matters. Brenneis is hoping enterprises are listening in particular to the latter issue or else more alarm bells will be set to ring.