While it is early days for 5G, one thing is clear: security and privacy will remain fundamental requirements, with the changes foreseen for 5G likely to broaden the range of attractive attack targets. We believe that massive IoT, one of the main application segments for 5G identified by standardization body 3GPP, is no exception.
The massive IoT segment will be extremely broad, covering not just M2M, but consumer-based services too. It is likely to consist of an ecosystem of potentially low-cost devices such as sensors and trackers as well as high-end home appliances, toys, some wearables, meters and alarms.
Device connectivity requirements will vary by use case. Some will require permanent connections, while others will only connect occasionally. Some devices may connect directly to a 3GPP network, whereas others will connect via a relay or gateway, using either a 3GPP or non-3GPP network. Some devices will be static, whereas others will move and will need the ability to manage network handover securely.
Data is likely to encompass geolocation data, sensor data such as meter readings, and private consumer data. Location and privacy protection for data must be enforced. For example, data from meters must not allow thieves to know if premises are occupied or not. In addition, much value in IoT comes from the integrity of the data so integrity protection is also vitally important.
Threats may include data manipulation, use of low-cost endpoints for entry into the network, rogue devices, equipment cloning and denial of service. Another major threat comes from suppliers themselves failing to invest in security for low-cost devices.
Means of mitigating these threats include secure provisioning, secure remote administration and configuration, authentication and data integrity measures. It’s also vitally important to understand that security should be proportionate to the value of the data being stored or in transit and the risk of compromise rather than to device cost.
Managing initial network connectivity securely will require secure provisioning of unique device and user identities for both network- and service-level access, network and service authentication credentials, and communication cryptographic keys as well as application identifiers.
Managing identities on the network will require identification of the application and corresponding application provider. It will also need secure storage of the unique identity on the device.
Mutual authentication of the device and network will also be necessary (it has been mandatory since 3G) as may mutual authentication for applications back to their service platforms.
In combination with the other major classes of use case: critical communications, enhanced mobile broadband and V2X, massive IoT poses a range of security challenges and requirements. SIMalliance believes that it is crucial that security is built into 5G from the outset. It has recently published An Analysis of the Security Needs of the 5G Market outlining its view of the security needs of each 5G segment.
SIMalliance is soon to launch a follow-up technical security requirements paper in late Q3 2016. Further articles from SIMalliance on TechTarget will draw on findings from that paper.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.