For threats that don't yet exist
Solving today's IoT security challenges is not enough. You need to plan for threats that don't even exist yet. That means building on proven principles and making sure you've always got the flexibilty to adapt.
Secure by design
The starting point of Telia LPWA and LPWA+ cellular IoT connectivity are the established LTE and GSM industry standards. And standards are important when it comes to security. In these standards - both are built on previous generations and have been thoroughly tested by the 700 members of the GSMA priort to being approved. That leaves very little room for surprises or 'we didn't think of that'.
Secure by design means that security features have been built in at every level. Here's an overview.
The starting point is fairly obvious. Because cellular LPWA connectivity is done within spectrum bands that are dedicated to that connectivity, licensed by regulators and managed by operators; interference from other radio technologies is kept to a minimum and control over connectivity is maximised.
Next, let's not forget the humble SIM card (although with the variations for embedded installation or outdoor temperature extremes, that are available today they're not so humble any more). But in essence a SIM stands for Subscriber Identity Module and contains highly secure integrated circuits, to authenticate the devices accessing their networks and services. It's the same security that mobile operators use to protect their subscribers' security.
Secure communication channels - VPN + APN
Next, data is encrypted and kept within the secure cellular network whenever possible. When it's not, dedicated communication channels such as Virtual Private Networks (VPNs) can be used can to ensure that no data traverses a public network, such as the Internet. This can be combined with secure, private, access point names(APNs) dedicated to a specific customer to isolate their data communications from other traffic.
IoT applications normally only communicate with a specific set of servers. This makes it possible to limit communication to a defined array of devices communicating and a defined array of servers. By preventing devices from communicating with any other destination, potential threats are locked out.
Data over NAS (DoNAS)
Getting deeper now and the acronyms are starting to flow. Data over NAS (DoNAS) means putting user data into signalling messages. It sends data via the MME (mobility management entity) by putting it into NAS (non-access stratum) signalling. DoNAS can be used to transport IP and non-IP traffic. Essentially, it's the same mechanism used for network signalling.
Non-IP Data Delivery (NIDD)
Non-IP data delivery is what it sounds like. It's used together with DoNAS to send data to the network without using IP. NIDD can transport data using a Point-to-Point (PtP) Serving Gateway interface (SGi) tunnel to the application server. Alternately, it use the service capability exposure function (SCEF) to securely expose service and network capabilities through network application programming interfaces (APIs).
Still with us? Want to learn more? Read the GSMA white paper on Cellular LPWA security