November 25, 2023

Reliable and Secure Connectivity for IoT

The IoT connectivity market is a great business to be in, given that we see significant growth in all segments and that we really do see customers using our connectivity to make fantastic services that improve everyday life. So, that is really an inspiration. 

One thing that we have seen lately is that the adoption of IoT tends to increase the dependability of connectivity. We see an increasing amount of use cases, and an increasing number of users, where the connectivity is real time critical. Either the criticality is from life/death situations, such as: 

  • Elderly alarms 
  • Home/business alarms 
  • Remote drones flying CPR equipment 

Or the criticality is from a business perspective, where their business cannot function without connectivity:  

  • Charging stations that need to be activated when payment comes through 
  • Taxis that cannot accept fares without the connectivity 

I think this increasing dependability puts high responsibility on operators to put resilience, high uptime, and security at the top of the agenda, both in terms of investment in the network, but also by providing services and consultation on how to build connectivity solutions that are designed for high uptime. 

Why choose cellular connectivity for the IoT application? 

 In general, think cellular connectivity is great, especially with the new technologies that are developed for IoT. Think of it like this:  

  • You have coverage almost anywhere in the world without any investment or running any equipment yourself 
  • It has become much more affordable, and I would say that the value for money is amazing 
  • The networks are very high quality 
  • The security settings are in general high in the networks – and the requirements on 5G are much higher than previous generations
  • The networks are supported by a very strong industry, both on the technology side and the service provider side
    • The volume of connected devices enable components such as radio modules or routers at competitive price points:
    • You can assume that the services will live on for the foreseeable future. This is important since you want to be sure that the devices you roll out will have connectivity for their lifetime
    • If you have a service that has a large geographical spread and that is important to you, I have a hard time seeing any better option .

Challenges, threats, risks with IoT applications 

When setting up an IoT application, most are focused on the benefits they want to achieve and how to get there quickly. And this is natural – you want to test the market fast to understand its potential. However, if you don’t consider the long-term operations of the platform, things can go wrong. 

I would divide the consequences in two areas. Consequences that make the solution unavailable and make you unable to reap the benefits, and consequences that are costly. 

Examples of things that make the solution unavailable are: 

  • Devices that are being hacked. A typical hack is when they are connected to the internet and a vulnerability is found and exploited 
  • Single point of failures in the solution making all devices go down at the same time 
  • Devices not being able to automatically recover from smaller disturbances or maintenance in the network. 

Example of things that can be very costly are: 

  • Stolen SIM cards used for fraud 
  • Hacked devices misusing network resources for fraud 
  • Device updates causing behavior that disturbs the mobile networks or suddenly increases the usage for a large number of devices 
  • Services that are designed to use services that are normally free, such as USSD, voice and SMS MT, but not used as intended. 

The costs for misbehaviour or telecom fraud in a largescale roaming solution are significant. Worst case, you could be talking about millions and the cost for unavailable solutions can put you out of business. So. this is important. 

Luckily, most of this can be avoided with simple precautions before scaling. Think about it: most hacks are not super hackers exploiting complex backdoors or deciphering your state-of-the-art encryption. Most of it is devices being on the public internet because you didn’t secure a VPN or have default passwords, etc. 

Start small, but think ahead on how the solution can be scaled already from start. Make sure you take advice from the experts of your operator before scaling to avoid common risks. 

Customer challenges when setting up secure solutions 

One thing which I think is underestimated in terms of challenges is the setup of VPNs between the operator and the customer’s data center. In a cellular IoT connectivity solution, an IPsec tunnel is often used to create a virtual network between the customer’s network and the network of their connected devices. This IPsec tunnel is used to communicate all data traffic to/from the device and, if not configured correctly, it is both a security hole and a single point of failure.

I don’t know how much you know about IPsec tunnels, but on paper it looks easy. Reuse your internet connection and just encrypt the data to avoid any eavesdropping or attacks. However, the configuration requires specialist competence, especially when designing a setup that your business is to dependent on. 

At Tele2 IoT, we have standardized our IPsec tunnels to require customers to be connected to  geo-redundant routers at Tele2 and to only use secure encryption methods. However, we do see that some customers have a hard time configuring it, especially when they are in a cloud environment.

The response from customers can be to suggest all sorts of work arounds, such as exposing devices to the public internet, only use an ACL to limit the IP address, or simply use a non-redundant IPsec tunnel with insecure settings. This would put the customer in a position where devices can be hacked, though, or their scaling solution could be jeopardized. 

I think in these cases, operators can assist customers by sticking to secure and reliable standards and provide alternative solutions that still are secure. We have, for example, a partnership with Equinix where we can route traffic via Equinix fiber to the customer’s data centers or directly to the hyperscaling cloud providers. All completely off public internet, secure, and with full geo redundancy and, also very important, with a simple and fast setup.  

Approaches & Solutions 

When you are starting to grow your IoT service, your connectivity service provider becomes an important decision. Of course, there are obvious things such as coverage and price which are needs to be covered but there are other things to consider to make sure that your solution will be long term sustainable, secure, and reliable: 

  • Make sure you choose an operator with a clear IoTfocused organization and offer. There are differences in how you configure and support a mobile network for IoT and for B2B and these differences matter, especially when you start scaling 
  • What subscription management platform do they provide? Are you able to properly see your devices’ consumption and signaling? Are you able to automate response to unexpected device behavior? Is the platform reliable and proven to scale? 
  • Does the operator have an IoT-specific service desk and advisors who are experts on your IoT needs? 
  • Do they have security services that are standardized for high security and resilience? How long will it take for them to set things up? Our experience is that some operator’s delivery timelines are not in line with what younger companies expect 

There are a lot of good operators – make sure you select one that has a clear focus on IoT and that will support your needs in the long run. 

How operators can assist customers in avoiding IoT vulnerabilities 

First of all, I think just choosing an IoT-focused mobile operator is a good choice. Most mobile networks have a higher level of security built in than what you could expect from WiFi or other standards. 

Customers setting up their IoT solution are often very concerned about time and costs because they want to get to benefits fast and they don’t know how successful it will be. In order to avoid running into vulnerabilities in the long run, it is important that the operator makes security easy, affordable, and mandatory.  

We have taken the following decisions in relation to VPNs between our network and customers:  

  • Don’t allow any direct access to devices from public internet. We have been challenged many times from customers that have previously used mobile broadband or WiFi, but it will never scale and be sustainable, so we say no 
  • Only allow IPsec tunnels that have proper encryption methods and require customers to have automatic failover between georedundant routers. Badly designed IPsec tunnels can be a security hole and a single point of failure 
  • Provide alternatives off the public internet. We are providing an alternative to IPsec tunnels that is affordable, simple to setup, and more secure and scalable. We call it Private Interconnect and it uses Equinix Fiber to connect to the customer’s data center or cloud provider. 

If you would like to learn more about how we can assist you in securing your IoT solution, please get in touch.  

Get in touch