Issue 3 Connectivity Hub as an Enabler of IoT Solutions
Connectivity Hub as an Enabler of IoT Solutions 2 Connectivity Hub as an Enabler of IoT Solutions 8 From the Gartner Files: What Securing the Internet of Things Means for CISOs 12 About Telefonica Business Solutions IoT Market Potential According to Gartner (1), endpoints of the Internet of Things will grow at a 31.7 % CAGR until 2020, reaching an installed base of 20,8 billion units. In the business segment, the building or facilities automation category, will present the highest growth (a CAGR of 91.6 %) followed by the energy category (CAGR of 81.5 %) and the automotive category (CAGR of 77.6 %). All this huge growth in the IoT industry brings a wide set of new challenges for customers and to face then the IoT Connectivity Hub solutions are key. IoT Connectivity Hub Carriers and OTT vendors have typically deployed managed connectivity platforms delivered as cloud services with different levels of integration into a carrier s networks. The functionalities of managed connectivity can be accessed via web portal or APIs and include: SIM inventory, SIM life cycle control, alarms and business rules, reports Now providers are evolving their value proposition delivering not only basic managed connectivity services but also they are providing a wide set of new advanced services creating a new product category in the IoT ecosystem. The connectivity hub category. IoT Connectivity Hub is an important element of many Internet of Things solutions. It allows the management and automation of customer processes for their connected machines whilst minimizing security and fraud risks. Connectivity Hub as an Enabler of IoT Solutions is published by Telefonica Editorial content supplied by Telefonica is independent of Gartner analysis. All Gartner research is used with Gartner s permission, and was originally published as part of Gartner s syndicated research service available to all entitled Gartner clients. 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner s endorsement of Telefonica s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp. 2
What are the Benefits of IoT Connectivity Hub to a Business? IoT Connectivity Hub can improve customers productivity, lower costs, increase security and help to expand into new markets or develop new product offerings. To increase productivity, Connectivity Hub solutions allow a quick and easy integration of m2m services into customer process and systems using APIs. The functionalities are available also through a web portal accessible from most common web browsers which, in turn, enhance customer experience. IoT Connectivity Hub solutions offer different schemes of SIM lifecycle status models to accommodate them with customer product lifecycle. In order to assure high availability standards across the connectivity, most service providers use a separate redundant infrastructure from their traditional business for the m2m communications. Some providers also offer global SIMs with extended coverage capabilities. To lower customer costs, IoT Connectivity Hub solutions offer a wide set of tools to automatically control costs associated with SIM traffic, operation, maintenance and inventories. To help facilitate the opportunity of tapping into new market opportunities, IoT Connectivity Hub solution can allow the seamless extension of products and service capabilities into different markets and can even enable new business models by developing new product and services in these new ventures. Also, it is well documented that IoT suffers a growing number of cyber security attacks. IoT Connectivity Hub can help minimize these security threats. The Importance of Finding the Right IoT Connectivity Hub Solution Customers needs are evolving in parallel with the IoT industry boom and that s the reason why current IoT Connectivity Hub solution providers need to evolve their current functionalities portfolio to stay in the game. Moving to real-time billing Many IoT customers manage a vast number of SIM cards making traffic across several countries whilst using a heterogeneous and not always up to date portfolio of devices. Sometimes unexpected errors may begin to occur and devices can start behaving anomaly with non desired calls or data sessions triggering unwanted spending. Customers want greater billing transparency to minimize the risk of getting a nasty bill shock. To create a truly effective spend limit, the account balance must be monitored and billed in real time. This allows customers to detect when the limit is reached and to take the appropriate action, e.g. suspend the service or send a warning SMS. This is not possible with traditional batch billing and charging. One of the most regularly demanded features in new connected cars is the need for Wi-Fi Hotspots. This feature allows the car to operate as a Wi-Fi hotspot itself, sharing a wireless internet connection with other devices in the car. For this feature to work, it is critical to control traffic in real time and to cut it off just at the moment when customer credit expires. This is only possible with real time billing and traffic control. 3
Source: Telefonica 4
Including location tracking and alarms services Location services are very useful to customers because they allow the prevention from non-authorized use of the SIM card when the SIM is moved from its typical operations geographical area. This feature is really valuated for Point of Sales (PoS) business customers, such as restaurants, where it is used to deactivate the SIM automatically when a POS terminal changes its location. This functionality is also relevant in Smart Cities since the devices which are used typically not change their location. find vulnerabilities. IoT Connectivity Hub is a key component to increasing these security levels in IoT solutions and help prevent security attacks and fraudulent uses. Each IoT market segment requires different levels of security. For instance connected car sector or ehealth sector requires much more security features than agriculture. There are several IoT Connectivity Hub features to prevent security breaches than can be grouped in multiple layers: Connectivity / transport security: o Private APNs and secure connectivity. Most IoT Connectivity Hub providers offer a wide set of different connectivity choices to connect devices according to their security needs: Internet Internet with IP filters IPSec Location services can increase the efficiency of customer maintenance operations. Most IoT customers have large deployments of SIMs distributed over large geographical areas. IoT Connectivity Hub solutions allow customers to integrate the location information via API to their operation systems to manage the optimal routes to facilitate on-field tasks. The location services provided by IoT Connectivity Hub solution providers are based upon cellular network cell-id information together with alarms and automatic business rules. This allows business rules to be automatically actioned when a change in location is detected, such as deactivation of services or notifications. Taking care of security since it is Critical for IoT Solutions Recently, there have been numerous IoT security-related scandals and it is clear that IoT is becoming an increasingly attractive target for cybercriminals. A recent demonstration by two researchers at Def Con Hacking Conference where they showed the ability to control the steering, braking and transmission of a connected car, led to the recall of 1.4 million vehicles in a bid to install a security update. This clearly served as a huge wakeup call to the IoT industry and highlighted the requirement to increase security levels. Making huge steps in new technology innovation is often accompanied by misuse and those looking to abuse these new advancements. It is now more evident than ever that IoT will only be successful if the industry manage to secure the solutions that they build. MPLS Platform security: o All infrastructure that supports the service has to follow the highest security standards. Telco players usually include security capabilities within their own networks like dedicated IoT infrastructure and redundancies in order to prevent against external attacks. o Secure customer access to the web portal and APIS in which customers can manage the SIMs. To improve security some platforms can provide customers with https, certificates and even two-factor authentication processes. o Profile management. Customers can manage several profiles over the same account to guarantee that each employee accesses the information that is relevant for his or her role. o IMEI change alarms and automatic business rules to ensure the SIM only can be used in an authorized device, blocking its use in other devices. The automatic business rules include notifications, activation/deactivation of services and updates of SIM status. Did you know: 400 high-tech South African traffic lights were put out of service after thieves in Johannesburg stole the m2m cards they contained. The thieves spent huge amounts of money by using the stolen cards to make calls. The biggest risks in IoT security comes from within the devices themselves, as well as from the platforms that support these devices. Many of the devices are built on top of open source libraries and components and device manufactures are continuously updating their firmware as they 5
Future Trends in IoT Connectivity Hub Solutions IoT Solutions are growing in complexity often using different approaches to provide connectivity. The technologies that are currently available to cover the connectivity layer of the IoT solutions are: Traditional Cellular (2G, 3G, 4G) Cellular Low Power Wide Area (e.g. Sigfox) Mesh (e.g. ZigBee, Z-Wave, etc.) Fixed Line Satellite o Numbering restrictions to outgoing and/or incoming calls and SMSs. IoT Connectivity Hub solutions allow the ability to block all outgoing and incoming calls with numbering rules that can be customized by the customer. o Service activation/deactivation at SIM level. Customers can autonomously manually activate or deactivate services at SIM level. This is relevant in some industries in which device firmware is configured by SMSs. Customers can only activate SMS service during maintenance works. o Real time control of traffic and expenses. Customers can establish thresholds for the traffic and expenses at SIM level taking into account their typical device traffic needs and get notifications and trigger automatic actions when they are reached. This minimizes unwanted impacts since customers can react without delays. WiFi Customers are deploying solutions that use, under the same service, a diverse range of devices each requiring different types of communication and want to manage all of these together under a single unique managed communication service. This business need for the control of a unique managed communication service is the reason IoT Connectivity platforms are evolving to act as a central connectivity hub for this new arena. FIGURE 2 IoT Connectivity Hub o Location change alarms and automatic business rules to ensure that the SIM can only be used at its typical authorized location. If somebody moves the SIM to another location an automatic action can be configured to deactivate the SIM or to make a notification. Customer application backend security: o Vulnerability management service to detect the weak points of customer backend applications, identifying corrective or preventive measures. IoT Device security: o Use certificates and public keys infrastructure for strong device authentication providing digital identity to any IoT device allowing added value services as digital signature and the ciphering of sensitive data stored in the device. Source: Telefonica 6
IoT Connectivity Hub solutions also are growing in the IoT end to end value chain since they are including device management capabilities. These new features are: Device inventory Device auto-configuration Device software and firmware updates management Remote diagnosis and error fixing tools Telefonica IoT Connectivity Hub: Smart m2m solution Smart m2m is an IoT Connectivity Hub solution developed in-house by Telefonica, currently with more than 1000 customers globally distributed. Smart m2m is designed to have all the typical managed connectivity services (Inventory, SIM life cycle control, Alarms and business rules, Reports ) and furthermore a set of differentiating features such as: Real time billing control Geo location services Device management capabilities Enhanced security features such as: o Physically and environmentally redundant and secured infrastructure o Location detection changes alarms o Numbering restrictions to outgoing and/or incoming calls and SMSs o Service activation/deactivation at SIM level o Vulnerability management service o Digital identity service Allowing Telefonica to provide customers with an end to end security IoT value proposition to prevent, detect and respond to any potential risk. All advanced and standard functions are accessible via Secure Web Portal or API. References: (1) Source: Gartner, Forecast: Internet of Things Endpoints and Associated Services, Worldwide, 2015, IoT Units Installed Base by Spending Center, Category and Subcategory, 2013-2020 (Millions of Units) (October 2015) FIGURE 3 Telefonica Smart m2m Source: Telefonica Source: Telefonica 7
From the Gartner Files: What Securing the Internet of Things Means for CISOs The Internet of Things redefines security by expanding the scope of responsibility into new platforms, services and directions. CISOs should focus existing security resources on specific use cases to identify new patterns for Internet of Things security solutions. Impacts The power of an Internet of Things (IoT) object to change the state of environments in addition to generating information will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities. Most IoT devices and services may be Nexus of Forces-driven, but CISOs will be dealing simultaneously with all past eras of technology to secure the necessary scale and complexity that an IoT world demands. IoT security needs will be driven by specific business use cases that are resistant to categorization, compelling CISOs to prioritize initial implementations of IoT scenarios by tactical risk. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security. Recommendations Deconstruct your current principles of IT security in the enterprise the information mold and context of IT are too limiting. Expand technology security planning and architecture to include new (and old) technology and service delivery platforms and patterns. Evaluate incoming IoT security requirements that account for possible combinations of mainframe, client/ server, Web, cloud and mobile security needs, which are impacted by operational technology (OT) and physical security in specific use cases. Do not overthink IoT security planning. Develop initial IoT security projects based on specific, even tactical, business risk profiles, then build on those experiences to develop common security deployment scenarios, core architectural foundations and responsibilities. Leverage current bring your own device (BYOD), mobile, cloud, OT, and physical security governance, management and operations for IoT use cases. Monitor adoption of key IoT-specific wirelesscommunication-, hardware-, connecteddevice- and cloud-based platforms. Strategic Planning Assumption IoT security requirements will reshape and expand over half of all global enterprise IT security programs by 2020 due to changes in supported platform and service scale, diversity and function. Analysis In an IoT world, information is the fuel that is used to change the physical state of environments through devices that are not general-purpose computers but, instead, devices and services that are designed for specific purposes. The IoT is a conspicuous inflection point for IT security and the CISO will be on the front lines of its emerging and complex governance and management. Gartner s Nexus of Forces cloud, social, mobile and information is driving early-state opportunities in the IoT. The IoT has a myriad of commercial and consumer technology use cases that range from connected homes and connected automobiles to wearable devices to intelligent medical equipment to sensor systems for smart cities and facilities management. The characteristics of intelligent, purpose-built devices that are networked to provide information and state changes for themselves or surrounding environments are increasingly used in OT systems, such as those found in industrial control and automation (sometimes referred to as the industrial IoT ). But securing the IoT represents new CISO challenges in terms of the type, scale and complexity of the technologies and services that are required. The IoT endpoints extend across the perimeter (and between third parties) to externally controlled appliances, customers and sensory-based technology that challenge traditional, layered-protection security management. In Gartner s security and risk management scenario for 2020, the target axis moves between the enterprise and the individual. Securing the IoT impacts both targets. It does not take much imagination to see the compromising impact of powering down or affecting millions of devices through a single IoT vulnerability potentially resulting in physical damage to environments, injuries or death. Although an IoT device may seem new and unique, a hybrid of old and new technology infrastructure enables the services that the device consumes to perform. Securing the IoT will force most enterprises to use old and new technologies from all eras (mainframe, client/server, Web, cloud and mobile) to secure devices and services that are integrated via specific business use cases. This also means that many of yesterday s problems will make their way into the IoT. CISOs will play an increased role in physical security responsibilities as presentday IT systems, legacy IT infrastructure, OT and the IoT become more automated and dependent on secure facilities to function. CISOs must balance specific business drivers with scalable security governance and management in a coming era that will be dominated by sensors, embedded systems, machine-to-machine (M2M) communications and purpose-built devices. Impacts and Recommendations The power of an IoT object to change the state of environments in addition to generating information will cause CISOs to redefine the scope of their security efforts beyond present responsibilities The IoT is redrawing the lines of IT responsibilities for the enterprise. IoT objects possess the ability to change the state of the environment around them, or even their own 8
9 FIGURE 1 Impacts and Top Recommendations for CISOs usage differences will also require changes. Governance, management and operations of security functions will need to be significant to accommodate expanded responsibilities, similar to the ways that BYOD, mobile and cloud computing delivery have required changes but on a much larger scale and in greater breadth. IT will learn much from its OT predecessors in handling this new environment. This is an inflection point for security. Recommendations: Deconstruct your current principles of IT security in the enterprise by re-evaluating practices and processes in light of the IoT impact the information mold and context of IT are too limiting. Expand IT security planning and architecture to incorporate new (and old) technology and service delivery platforms. Source: Gartner (April 2014) state (for example, by raising the temperature of a room automatically once a sensor has determined it is too cold or by adjusting the flow of fluids to a patient in a hospital bed based on information about the patient s medical records). Securing the IoT expands the responsibility of the traditional IT security practice with every new identifying, sensing and communicating device that is added for each new business use case, particularly if device operations have such impacts. Integrity (that is, correct functionality) is more critical for environment-changing systems that are people-impactful than it is for information alone. Information technology is now being supplemented by purpose-built, industryspecific technologies that are tailored by where and how a device is used and what function it delivers. Information remains a key deliverable information is the fuel for IoT devices. Their ability to identify themselves (such as RFID tags that identify cargo), sense the environment (such as temperature and pressure sensors) or communicate (such as devices in ocean buoys that transmit environmental changes to the areas around them) requires information to be generated, communicated and/or used. Although traditional IT infrastructure is capable of many of these functions, functions delivered as purpose-built platforms using embedded technology, sensors and M2M communications for specific business use cases signal a change in the traditional concept of IT and hence the concept of securing IT. For example, process, storage and power limitations on low-cost devices with minimal memory and processing power will curtail agent-based security solutions. Real-time, event-driven applications and nonstandard protocols will require changes to application testing, vulnerability, and identity and access management (IAM) approaches. Handling network scale, data transfer methods and memory Most IoT devices and services may be Nexus of Forces-based, but CISOs will be dealing simultaneously with all past eras of technology to secure the necessary scale and complexity that an IoT world demands Many CISOs mistakenly believe that the IoT consists of all new technologies and services. Although the business use cases being identified daily are indeed innovative and new, the technologies and services that deliver them are seldom new as well as seldom uniform in architecture and design. Each use case risk profile has specific requirements that may result in the use of old platform and service architecture with a new technology overlay to improve performance and control. This represents an interesting challenge for CISOs when delivering secure services for the IoT. In some cases, it may be a past is future exercise in evaluating mainframe, client/server, Web, cloud and mobile security options as part of an overall IoT business use case. Even out-of-maintenance systems such as Windows XP may still play a critical role for some industry infrastructure as part of an IoT security system. Security planners should not throw away their old security technology manuals just yet. 9
CISOs should not automatically assume that existing security technologies and services must be replaced; instead, they should evaluate the potential of integrating new security solutions with old. Many traditional security product and service providers are already expanding their existing portfolios to incorporate basic support for embedded systems and M2M communications, including support for communications protocols, application security and IAM requirements that are specific to the IoT. There are increasing options for delivering OT security to supplement IT security, focusing on areas such as threat detection and response and vulnerability management. In addition, solution providers for areas such as connected home, facilities management and physical access control are using IoT devices for physical security as well as providing security management and operations solutions for networks of the IoT. Unfortunately, there is equal opportunity for the security product and service industry to repeat undesirable history by inadequately incorporating security capabilities during the manufacturing and software development period. Recommendation: Evaluate incoming IoT security requirements that account for possible concurrent combinations of mainframe, client/server, Web, cloud and mobile security needs, which are impacted by OT and physical security in specific use cases. IoT security needs will be driven by specific business uses cases that are resistant to categorization, compelling CISOs to prioritize security implementations of IoT scenarios by tactical risk At this time, there is no guide to securing IoT available that provides CISOs with a framework for incorporating IoT principles across all industries and use cases. Another unique characteristic of the IoT is the sheer number of possible combinations of device technologies and services that can be applied to those use cases. What constitutes an IoT object is still up for interpretation, so securing the IoT is a moving target. However, it is possible for CISOs to establish an interim planning strategy, one that takes advantage of the bottom up approach available today for securing the IoT. Security leaders should not overthink IoT security by attempting to draft a grand strategy that encompasses all IoT security needs to this point in time. Lower the residual risk of the IoT by assessing whether your particular business use case provides better control and performance. Enterprises can be considered part of the IoT if they are using devices that: Are networked for communication on private networks, public networks or the Internet Have some capacity to identify, sense and/ or communicate information about a device itself or the state of the environment in which the device resides CISOs will find that devices that use sensors, use some form of M2M communications for most functions, are built with embedded systems and have a means of being identified will appear increasingly in specific business use cases. CISOs must establish a presence in the early planning cycles for those use cases. Leverage planning results to identify any common security design components that can use existing security solutions or that require specialized technology or services to meet security policy requirements of the enterprise. After working with several use cases, a pattern of security requirements that is consistent with the specific industry of the enterprise should emerge to allow the CISO to develop core security services for safeguarding IoT in subsequent projects. Recommendations: Do not overthink IoT security planning patterns and solutions are still evolving. Start small. For now, develop initial security projects based on specific IoT interactions within specific business use cases. As a result, seek to define ownership and responsibility areas for security. Build on these use case experiences to develop common security deployment scenarios, core architectural foundations and a competency center for the future. 10
11 The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security Fortunately, many of the security requirements for the IoT will look familiar to the CISO. The technologies and services that have been used for decades to secure different eras of computing are still applicable in most cases. For example, past planning in mobile security and BYOD will be applicable because many of the IoT devices can be protected with mobile security solutions and IoT devices may be managed within BYOD frameworks. CISOs will also find that, even though there may be complexity that is introduced by the scale of the IoT use case or the unusual operating system, communications protocol or embedded firmware requirements, the core principles of data, application, network, systems and hardware security are still applicable. However, there will be differences in governance, risk, management and operations. For enterprises with significant OT assets (such as manufacturing, energy and utilities, chemical, transportation or healthcare), there will also be additional complexity for the CISO. Many OT security requirements engage physical security practices, including health and safety systems, perimeter surveillance, physical access control and facilities management. IT planners have paid too little attention to the growth of these requirements. CISOs must be prepared for those use cases involving the IoT where OT and physical security requirements will be part of the endto-end solution and coordinate accordingly. Enterprises with OT assets are increasingly converging, aligning and integrating their IT and OT security teams, which will also impact governance and planning efforts for securing the IoT. Recommendations: Leverage current BYOD, mobile, cloud, OT, and physical security governance, management and operations to consider the IoT use cases as your enterprise deploys them. CISOs should direct their staff members to monitor progress in the following technologies to ensure an understanding of security requirements: Wireless technologies and standards, such as ZigBee and Modbus Hardware platforms, such as Arduino and TMote Sky Connected-device software platforms, such as TinyOS and Android Cloud application software platforms, such as ThingWorx and Evrythng Evidence O. Mazhelis and others, Internet-of-Things Market, Value Networks, and Business Models: State of the Art Report, University of Jyväskylä, Department of Computer Science and Information Systems, 2013. T. Brewster, There Are Real and Present Dangers Around the Internet of Things, The Guardian, 20 March 2014. S. Rodriguez, Refrigerator Among Devices Hacked in Internet of Things Cyber Attack, The Los Angeles Times, 16 January 2014. Source: Gartner Research, G00259020, Earl Perkins, 11 April 2014 11
About Telefonica Business Solutions Telefonica Business Solutions, a leading provider of a wide range of integrated communication solutions for the B2B market, manages globally the Enterprise (Large Enterprise and SME), MNC (Multinational Corporations), Wholesale (fixed and mobile carriers, ISPs and content providers) and Roaming businesses within the Telefonica Group. Business Solutions develops an integrated, innovative and competitive portfolio for the B2B segment including digital solutions (m2m, Cloud, Security, e-health or Digital Marketing) and telecommunication services (international voice, IP, bandwidth capacity, satellite services, mobility, integrated fixed, mobile, IT services and global solutions). Telefonica Business Solutions is a multicultural organization, working in over 40 countries and with service reach in over 170 countries. https://twitter.com/telefonicab2b 12