The Internet of Things (IoT) may be disrupting the world economy, but security remains a sticking point. Low-power wide-area (LPWA) networks carrying IoT data from devices such as water meters and smoke detectors are particularly challenged by the heavy processing that security typically entails. The good news is that technical standards nearing ratification will soon start protecting these devices in efficient new ways using algorithms already built into the cellular network.
An emerging security standard called BEST1 conserves battery life while securing IoT data. The 3GPP, the international body in charge of mobile broadband standards development, is overseeing BEST, which applies to IoT services carried across licensed mobile frequencies. BEST is especially suited to applications using sensors that rely on batteries as a power source, such as smart metering, asset management, and environmental monitoring.
Most business plans associated with these high-volume IoT deployments call for using low-cost batteries with very long lives—10 years or more—to avoid the expense and interruption of having to continually replace them. The typical security process, though, involves overhead-heavy, certificate-based mutual authentication and complicated Public Key Infrastructure (PKI) management, which quickly consume battery power. Because of this complexity and overhead, it can be tempting to forego security when implementing IoT applications in order to conserve battery life.
Can You Trust the Data?
However, IoT data that hasn’t been secured is untrusted data. And data you can’t trust is useless at best. For example, if you have no confidence that your water meter reading is accurate, why bother collecting it? At worst, untrusted data can be damaging. If a heart monitor’s data has been manipulated, someone’s health may be put at risk.
The BEST standard introduces a way to get the best of both worlds: low-power battery-operated devices with long lives and robust security. In this way, BEST represents a significant turning point in IoT. Companies plan to spend US$15 trillion globally in aggregate IoT investment between 2017 and 2025, according to BI Intelligence2. If IoT isn’t secure, those investments could be in jeopardy. In fact, Nemertes Research3 reports that while IoT figures prominently in most companies’ digital transformation plans, security is most often an afterthought—a situation that the researcher warns is creating unacceptable risk.
Work with the 3GPP
Juniper is tackling that risk and helping advance the state of security by working closely with the 3GPP and other companies drafting the BEST protocol. As part of that work, we’re developing a BEST gateway capability (known as an HPLMN4 Security Endpoint, or HSE) as a proof of concept and for interoperability testing.
BEST capitalizes on the cellular network’s pre-shared key (PSK) for authentication. From this PSK, the network derives integrity protection and encryption keys that run between an IoT device and an HSE gateway in the operator’s core. Using the cellular PSK along with an Embedded SIM (E-SIM) card simplifies the provisioning and improves effiency by making use of the mutual authentication that already exists in the network. This setup saves battery power because you don’t need to run authentication and encryption algorithms on IoT devices directly; the task is offloaded to the cellular network instead.
As a result, mobile operators can deliver highly scalable, secure celluar connectivity for carrying IoT traffic. And once BEST has been tested and built into commercial products and services next year, you’ll be able to help your enterprise customers deploy massive IoT securely at a much lower cost than is possible today.
Delivering Value-Added Security Services
BEST technology also gives you the opportunity to offer new value-added IoT security services and to better compete against unlicensed-band IoT network alternatives, such as LoRaWAN and Sigfox. LoRaWAN and Sigfox came to market much earlier and have made significant traction, though as unlicensed options, they can be perceived as less secure. More importantly, BEST is a part of 3GPP. So, unlike its unlicensed competitors, it will benefit from the massive installed base of cellular technology and its ecosystem of network operators, infrastructure vendors, and software developers. With BEST, you can boost your cellular network value proposition with secure IoT connectivity and differentiate your service offerings.
And with BEST-based managed IoT security services, you’ll help your enterprise customers secure their battery-constrained IoT devices with simplicity and lower cost. Enterprises that opt to use a cellular BEST-based service, for example, avoid buying and managing security gateways themselves to terminate encryption throughout their networks. BEST further improves the business case for many IoT deployments in that end users won’t have to visit remote areas as frequently to replace sensor batteries.
Operator Deployment Options
You can deploy BEST to offer “end-to-end” security (between the device and an enterprise application server) to your enterprise customers. You can also deploy “end-to-middle” security (between the device and an HSE gateway in your home network) for your own use to mitigate risks.
For example, IoT transmissions often traverse the licensed mobile networks of multiple operators, which have roaming partnership agreements. Most service providers would consider the visited partner network less trustworthy than their own home network. So they don’t want to depend on the visited network to provide confidentiality or integrity.
One way of addressing this concern is to use BEST for end-to-middle security, which establishes a secure channel between the IoT device or user equipment and the HSE gateway in your home network. This way, you avoid trusting intermediate communications links and therefore mitigate risks.
You can deploy end-to-middle security for integrity protection, confidentiality protection (encryption), or both. Some service providers may choose not to implement the end-to-middle encryption for confidentiality protection, however, if they want to provide local law enforcement agencies in other parts of the world with lawful intercept capabilities.
Differentiate Services While Lowering Risk
BEST technology is intended to work with your licensed cellular network that supports Narrowband-IoT (NB-IoT) or LTE-M technology. You can take advantage of BEST to differentiate your service offerings, create additional revenue streams, and mitigate risk. By offering managed IoT security as a value-added service with BEST, you’ll also ease the IoT power-versus-security conundrum for enterprises.
Learn more about BEST and IoT security in the resources for this article. For a briefing on BEST, contact your Juniper account representative.