We foresee 6.4 billion IoT connections using fixed, mobile and low-power wide-area (LPWA) networks in the world by 2025. As the IoT market grows, so does the security risk. The discussions on how to secure IoT are increasingly the focus of attention. An end-to-end IoT project consists of multiple, often diverse, devices, various platforms, layers, and interfaces, creating a great deal of complexity to the security issue. Security has moved up the list of priorities for IoT projects. Telecom operators as IoT service providers need to develop their IoT security capabilities with relevant products and skills sets to match their IoT strategy and ambition.
IoT security featured widely in the headlines for all the wrong reasons in 2016. The size and scale of some of the breaches has alarmed enterprises as well as governments and regulators. Both IoT service providers and the end users suffer from security breaches, from financial losses caused by service downtime to a loss of confidence and customers. Security has moved up the agenda when firms evaluate suppliers for new IoT projects, especially for specific verticals such as health, finance and critical infrastructure projects such as smart grid.
End-to-end IoT security is a complex proposition. To achieve a high standard of security it will have to be built in by design and will need different players to work together. Although building security in by design will likely add some additional upfront cost, it may reduce the overall complexity and costs of delivering security for the lifecycle of the project. Also, no single player is able to provide end-to-end security alone, and players will need to partner to achieve satisfactory end-to-end solutions.
Security can help operators differentiate and strengthen their IoT propositions
There are strong reasons for operators to provide IoT security services, including differentiating their connectivity service, defending their IoT business, enhancing their IoT offering, and building a brand as a trusted partner. Telecom operators have native advantages: Security requirements such as secured transmission, safe data and user authentication have been fused into the telcos’ network for decades, and cellular networks are generally viewed as reliable. Operators also inherit strength in securing the connectivity layer with carrier-grade standards and embedded security solutions.
By 2025, more than half of the total IoT connections globally will be LPWA connections, and LPWA will bring new and different challenges. Many of the devices connected to a LPWA network will be low power devices with low computing power hence there will be significant challenges to maintain security levels over the lifecycle of the device.
Given the lower barriers to entry to the LPWA market, operators will need to ensure that partners follow established security guidelines to secure products. Some leading operators are attempting to exercise some control over this through their IoT developer initiatives which build awareness of LPWA and provide developer tools. For example, Verizon built its IoT security credentialing platform for customers and developers. Industry bodies such as the 3GPP, the LoRa Alliance and other LPWA technology vendor initiatives are also driving ecosystem collaboration to address the challenge.
Operators will also have an opportunity to differentiate their LPWA offerings by providing security by design from the outset. and although this will likely add some additional upfront cost it will reduce the overall costs of delivering security for the lifecycle of the project.
Telcos need to develop security offerings matching their IoT proposition across the value chain
Operators should mirror their security offerings closely to their IoT strategy beyond connectivity on the value chain, providing tailored security for their target verticals. They need to secure all value chain components of their service offering, and those who provide end-to-end IoT solutions will need to build, partner and possibly acquire to ensure that they can secure what they offer, although the control and responsibility ends at the enterprise.
Operators are taking mixed approaches to IoT security and making investments to secure their IoT strategy, aligning to their vertical focuses. Vodafone for example is deploying R&D resource to build new IoT security capabilities. KPN Ventures has invested in Security Matters reflecting the parent company’s strategy to focus on manufacturing opportunities as part of its enterprise and IoT strategies. AT&T is also investing in companies focused on providing security for industrial control networks.
Also, operators need to educate their customers on potential IoT security risks and demonstrate the benefits of security. However, selling IoT security solutions will not necessarily generate substantial revenues for operators. Security at the connectivity layer is embedded and not optional but could be used to bolster the value of the connectivity offering. Security for other components of the value chain will be a premium service but might have to be delivered via partners. Either way, IoT security is moving into the spotlight.
Sherrie Huang is lead analyst for Analysys Mason's Asia-Pacific research program, and Michele Mackenzie is principal analyst for Analysys Mason's IoT and M2M Services research program