Almost every other article about IoT security ends with the same recommendations. It goes like this: change the edge device’s default login password to something “strong” and don’t forget to change it from time to time, make sure that the device has the most recent firmware, configuration, and security patches, communicate with the device using a secure encrypted tunnel (usually a VPN), close unused ports and apply access control using a firewall.
The pragmatism of the IoT eco-system is that edge devices should be as economical as possible to ensure higher profitability. Furthermore, after the initial setup of the IoT network, adding more edge devices should be cost-effective ensuring suitable business growth. As an IoT system developer or integrator that cares about security, have you really considered the most cost-effective way of implementing the typically recommended security recommendations?
Secure VPN Tunnels
The Problems: Adding a secure tunnel to your IoT network has lots of benefits. First, it encrypts and hides the actual communication channels of the IoT network for both the data and the command & control channels. Also, since a peer-to-peer connection is established from the edge device to the company’s server, it effectively prevents “man-in-the-middle” attacks.
The most common secure tunnel is a VPN. Implementing a VPN for IoT network is highly dependent on the nature of your edge devices, the networking architecture and communication channel that is used to connect to the outside world. The rule of thumb is that the secure tunnel should be established between the company’s IoT servers and the IoT devices as close as possible to the edge. This means setting up a VPN for every device, or at least a group of devices which are locally related to each other. Usually IoT devices are by design very light in computing power and chances are that it probably doesn’t implement a VPN client module, therefore another endpoint such as VPN-gateway should be used.
To conclude, in order to set up proper secure tunnels to your IoT devices you need an additional costly hardware and IT department resources to manage every VPN tunnel, from the VPN server to every gateway at the edge device’s site. As you can see, adding a VPN complicates things at the edges of the network where things should be simple and cost-effective. Instead of worrying just about power consumption and communication, you now must rearrange the network architecture of your remote sites and add extra hardware, just to incorporate a secure tunnel.
The Solution: The most cost-effective way of implementing a secure tunnel to your IoT edge devices is by using cellular communication. Specifically, connecting the edge devices to the internet by using IoT SIM cards that belong to a Secure MVNO (Mobile Virtual Network Operator), that can guarantee tunneled communication between its core to the company’s servers and guarantee network resiliency.
There are many good reasons to choose cellular communication over other kinds of IoT communication protocols, with security being one of the best reasons. The reason is that it allows keeping the edge IoT device’s connection as inexpensive and simple as possible while implementing most of the security measures within the SIM card and the secure core, which is used as a service by the IoT network owner.
monogoto is a Secure MVNO that offers the ability for every edge device to connect and communicate with the monogoto secure core using a monogoto IoT SIM card inserted into the cellular modem. Using the monogoto IoT SIM card the modem doesn’t need to support VPN client capabilities because the channel encryption is provided by the strong cellular network’s cryptographic capabilities (use 3G-UMTS or 4G-LTE). In addition, tunnel integrity is based on additional unique mechanisms that are implemented within the monogoto SIM card & secure core.
From this point, monogoto establishes a single VPN connection from the secure core to the IoT company, routing all the traffic from the various IoT devices through a single point, which is the only actual connection to the internet. Therefore, instead of multiple VPNs from the company’s server to every edge of the IoT network, there is only one VPN tunnel to monogoto’s secure core which is mapped to every edge device. Therefore, there is no need for a VPN-enabled gateway at the edges.
Walled Garden and Device Isolation
Securing IoT devices through a secure MVNO can provide additional capabilities such as the capability to configure a certain group of SIM cards to communicate only with other SIM cards within the same group. This mechanism is effectively creating a “walled garden” for all the SIM cards used by IoT devices that belong to a certain group, which belongs to a specific company. Walled garden is a built-in capability in monogoto, while if you work with a traditional cellular operator you need to purchase a private APN.
This way all communication with the edge IoT devices within this “walled garden” can be done by providing cellular communication to other parts of the network, for example, the company’s server. By using monogoto SIM cards for both the IoT devices and the server, you eliminate the need for an external internet connection that communicates with the server. All the communication is done within the same MVNO and is not accessible from the internet, creating a truly private network.
Another cool feature is device isolation, when you can define which SIM in a network can reach each other, or which SIM should be isolated from other devices.
Other interesting security-oriented capabilities that are accessible to monogoto’s customers include visibility and control over all IP & signaling traffic. The idea is to avoid scenarios, when your IoT device HW is transmitting or receiving data from unknown sources.
In practice, that means that a company that builds its IoT network based on monogoto’s IoT SIM cards and services can apply by itself, through the network and with no additional external hardware, IP firewalls (for example block or allow certain IPs) as well as signaling firewalls (for example block or allow certain SMSs or calls).
There is no reason for your IoT device to communicate with the outside world, therefore you should have the plug and play tools including APIs to make sure your network is safe.
Traffic control and visibility means that every customer gets the ability to set up alerts based on any event in the network (like Cell_ID change, IMEI change, Data usage threshold and more) and to capture actual packets (pcap files) for enhanced debugging. Visibility should also come with a suite of advanced analysis tools like DPI (Deep Packet Inspection) for IP traffic, that can be extended upon request.
monogoto believes that giving control over the traffic to the customers provides simple, yet smart, implementation of the desired security policy. Each customer has its own unique security policies and should be able decide the best way to implement them.
Connecting IoT devices through a secure MVNO like monogoto keeps the costs of complying with the IoT security requirements low, because all the security features are available out-of-the-box within the cellular core. Instead of buying additional hardware like external VPN clients or firewalls for the edge IoT devices, and making painful changes to the existing network architecture, you can use monogoto’s IoT SIM card and services to achieve your deployment goals. This will save time, effort, and money because the network is highly scalable and lets you focus on what you need to do.
It is important to note that most of the security capabilities that monogoto has to offer are not available from traditional MNOs. To get some of the most basic features, you might have to pay extra (for example dedicated VPNs or Private APNs), but other features such as alert on network events or pcap on actual IP traffic, simply don’t exist in other MNOs offerings.
Lastly, if you have IoT devices that are deployed worldwide, it is unreasonable and not cost-effective to establish a VPN and Private APN with every potential MNO in every geography. For that reason, it is best to use monogoto as your pivotal Secure Cellular MVNO solution.
Credit to Zvika Gat, who assisted in writing this post.