Plan IoT security the right way: SIM ID, private APN and traffic analysis

Hello, dear friends of IoT, and welcome to a new episode of the IoT Use Case Podcast. Today we are talking about a topic that many of you care about. How do I secure my IoT solutions, especially when several devices are networked, from the robot vacuum to the large industrial plant? How do I bring my existing network up to date? Does it already meet key security requirements, or what else do I need to consider? Which measures can I skip, and which do I absolutely need? That is what we are discussing today. We have concrete use cases around Narrowband IoT and other transmission technologies. We will clarify what you need to consider for security from the very start in the design, how to analyze attack vectors, and what current EU requirements mean for your projects. Our guest today is Peter Gaspar. He is Vertical Market Solutions Manager and heads Solution Architecture at A1 Digital. A1 Digital works as an integrator with a focus on true end to end architecture. You will hear exactly what they do in a moment. I am also bringing a few of your community questions. I am very excited about this episode and I hope you are too. You can find all information on implementation at iotusecase.com and in the show notes. Let us get started and head into the podcast studio.

Hello and welcome, Peter. Great to have you.

Peter

Hello Madeleine, thank you. I am looking forward to today’s episode.

Where am I reaching you right now, where are you based?

Peter

I live and work in Vienna. At the moment I am at my holiday home in Semmering, where I have some quiet for the recording.

Beautiful, Vienna. That is fantastic. Greetings to the region around Vienna, it is beautiful. Are you there with the entire team, or how is A1 Digital set up?

Peter

We have three focus countries where we are at home. Part of the team is in Germany and we have a headquarters in Munich. The third part of the team is in Switzerland, where our cloud solution originates and is maintained.

I am checking in the meantime. We last had an episode with you, that was episode 152. A colleague of yours and medDV were there. It was about networking and data integration for emergency services, especially in Bavaria. Today we are talking about a different topic. Before we dive in, a brief introduction to you. You lead the architecture team at A1 Digital, you come from the mobile communications business with over 20 years of experience, and you work with various radio technologies. What fascinates you about IoT?

Peter

I come from mobile communications. That was exciting, but I wanted to do something tangible. In large mobile networks, projects are very large and take a long time. In IoT you can build prototypes quickly and be innovative again, because we implement use cases that until recently were not possible. The field is developing rapidly, and the radio technologies as well. It is exciting to stay on the pulse and try things out yourself.

When you say that use cases are now possible, which ones are we talking about, and which transmission technologies does your team work with? We just mentioned Narrowband IoT. Is that one part of it, or what range of technologies do you work with?

Peter

Yes, absolutely. Narrowband IoT has been around for about seven years, which is not very long in a technology lifecycle. It is a good example of how we can now implement use cases that were not possible before. For example, we developed a hydrant cap that sends an alert over Narrowband IoT when a hydrant is opened or when there is water inside the hydrant. When a hydrant goes into operation, we learn that in real time. Without Narrowband IoT or LTE M this would not have been possible so far, because hydrants do not have a power supply. With the new energy saving technologies that support constrained devices, this has become possible.
In this use case it is interesting to leverage the security properties of the network. The 4G network has seen significant security improvements compared to 2G. You can rely on these properties and include them in your own solution. In this project we used the SIM card for authentication and device identity and used it as the secure component in the device.

When you talk about security properties, can you describe that in more detail? What do you mean by that, and which ones exist in such a network? Not everyone is deep into the architecture, so a brief explanation of what security properties mean in this case would help.

Peter

By security properties I mean functions of the network that solutions can make use of. I do not mean the internal communication of the network components, which I consider secure and even stronger with 5G. Operators have their networks at a level you can trust. You can use these functions to avoid building everything yourself. One example is identity and authentication. I do not need to build my own authentication into the solution. I use the device identity provided by the network. Another example is APN splitting. This lets me isolate my use case from other customers of the mobile operator. I can build a virtual network over the mobile network and control IP filtering or encryption from the operator to my network according to my needs. I receive my own Access Point Name, that is, APN. The mobile provider can secure this splitted APN as needed. Options include an IPsec tunnel, an MPLS connection directly to the company network, or filtering of unwanted communication paths.

[08:23] Challenges, potentials and status quo – This is what the use case looks like in practice

You said you can avoid building everything yourself. In the end this is a technology investment. How do customers do it today without you, and where do they lose time and money? What do you recommend?

Peter

In the field I see two extremes when customers design their solutions on their own. First, an IoT use case arises from a proof of concept created by an enthusiast inside the company. Security is hardly considered or is pushed to the background with the idea of adding it later during productization. When that time comes, the know how is often missing, or the business case turns negative because securing and productizing the solution requires a lot of effort. Second, some build the entire security chain themselves. Once the solution is connected to the mobile network, duplication occurs in several places, meaning double encryption and double authentication. That creates unnecessary cost and complexity, both on the devices and in the overall solution.

I see. If we stay with the hydrant example or look at another project, I often see a proof of concept start small. You take a SIM card, have the device ID, build the solution, and it works at first within the project. When you scale to hundreds or thousands of devices, challenges arise. You should look closely, otherwise hidden double costs appear, for example through double authentication. Did I understand that correctly?

Peter

Exactly. It always depends on the use case and its security requirements. We show the customer the full picture, that is, how the use case should work end to end, where possible attack vectors lie, and what risks exist. Together with our security experts we evaluate the overall solution and propose an optimal design.

You said there are specific security requirements for each use case. Is there a categorization or criteria?

Peter

We work on a granular, per use case basis. One example: A customer rents out caravans and stores them over winter in a large parking area. The goal was to locate each caravan at zone level so staff can find it quickly. Meter level accuracy is not required, the zone is enough. At the same time the devices are heavily constrained, because there is no power supply in winter. Everything runs on batteries, compact and efficient. Together with our security experts we assess the risks. What happens if data is forged or does not arrive. What if the SIM card is removed and used elsewhere. Based on those risks we recommend suitable technologies. In this case the risks are low. If data gets lost, the staff member searches a little longer. The biggest risk is misuse of the SIM card.

By a staff member or someone internal?

Peter

Exactly, either by a staff member or by someone who rented the caravan earlier and removed the SIM card before winter storage. Our recommendation is therefore to forgo additional end to end encryption on the device and instead bind the SIM card tightly to the device. If we detect in the network that the SIM card is in another device, we block it automatically. To counter spoofing of the device identity we add a network filter that allows the SIM card to communicate only with the actual use case server. If someone puts the card into another device and forges its identity, they still only reach that server and cannot use the card for anything else. With a single SIM card, the risk of a denial of service attack on the server is low. Logs and traffic analyses reveal anomalies quickly, and you can block the card. This gives you a solid security level without overcomplicating the device. Power consumption stays low, no extra compute is needed. Network filtering and network identity provide the decisive protection here.

Very interesting. I was not aware that SIM cards can be removed or swapped. That certainly affects other IoT use cases where many devices are managed and security gaps can arise. You have to consider that from the start.

[15:44] Solutions, offerings and services – A look at the technologies used

You mentioned cost aspects. Let us summarize briefly what to watch out for. First, device identity and authentication via the SIM, that is what I took away. Second, separation through the network with a dedicated IP space. Third, traffic analysis as a protection mechanism, so checking what a device does and whether it should be doing that. Is that accurate as a summary?

Peter

Exactly. You can detect anomalies and raise alerts so that operations can decide whether it is an attack or normal behavior. These anomaly analyses and the alerting can also be implemented in the network.

Do you do that directly in your team or via a partner? How does that work?

Peter

We usually implement this with partners. We are an integrator and combine the right components into a solution for the given use case.

Exactly. That is interesting, because people know A1 Digital as a major player in mobile communications, and here you also take on the role of integrator who truly plans the architecture end-to-end. Not everyone does that. Not everyone does that. It is also exciting that you build from the hardware, meaning the SIM card, all the way to the platform together with partners. I assume the partners depend on the use case.

Peter

Absolutely. We have components that we use in almost every project, for example the IoT platform, the connectivity, and selected hardware that we reuse. This way we assemble solutions efficiently and do not have to start from zero for each one. Our productization experience is crucial. Security is central when you lift a proof of concept to a product that you can roll out at scale and rely on.

Then I would say, consider security from the very beginning. Include it already in your proofs of concept so you can use network functionalities optimally and integrate them cleanly into your architecture. Which use cases do you have? Do you already consider this today? Do you work with partners? Feel free to comment or write on LinkedIn. Peter, I will put your contact in the show notes. LinkedIn works as a channel, right? If you want to share best practices or discuss your project, feel free to reach out.
I will also touch on your solution. You mentioned traffic analysis, network filtering, and security requirements. Is that a service you provide? What exactly do I buy? Does it come with your products? Please explain your solution briefly and how I should proceed if I want to work with you.

Peter

Much of what I talked about today consists of standard connectivity products. A private APN is a standard available with connectivity. Authentication via the SIM card, binding a SIM card to a device, and automatic reaction when the device is replaced are part of that as well. The key is to actually use these products. In an end-to-end solution we deliberately build in these properties. We help find the optimal combination of functions for the use case so that it remains economical. Simple, not too complex, yet at the required security level. Security is not underestimated, but in many cases you can use the network to simplify a lot.

That is important. Thank you for the note. You said at the beginning that the business case must always be considered. When you build solutions for customers, you have to check whether it pays off. You often start small and iterate. It is essential that you look at the business case as well. Whether hydrant or caravan, there is always a business case behind it that you have to calculate. Good that you emphasized that again.

Peter

At the other end of the spectrum are our smart metering projects. Security is taken very seriously there, because it involves personal customer data and billing. We first use network functions such as MPLS or IPsec tunneling, meaning encryption directly in the network, private APNs, filtering, authentication, static IP addresses, and unique device identification. In addition, we advise on application level security, for example on distributing certificates and their lifecycle. We recommend end-to-end encryption from the meter to the central system and consider the entire lifecycle of the meters, including secured firmware upgrades. An anecdote from one project. The SIM card cannot be removed from the meter. That is monitored by a built in sensor. As soon as someone opens the meter, an alarm is triggered immediately. So it is not only about mapping the SIM card to the device in the network, but also about detecting physical tampering. Such projects are secured on multiple levels. You see how important the network is and that it should be deliberately considered and used.

Absolutely. You cover a wide range of use cases. I will link that in the show notes. Feel free to visit A1 Digital, there you will find the case studies you have implemented with customers, and of course also on our platform. I found the story with your customer Hawle particularly exciting. Read up on how they proceeded and join our community. If you want to exchange ideas, share best practices, or discuss your project, feel free to reach out. Thank you for being here today. It was valuable to dive deeper and clarify what matters in implementation, what is needed, and which aspects security covers.

[24:00] Transferability, scaling and next steps – Here’s how you can use this use case

One last question to close. How will these projects evolve over the next two to three years? Do you see trends, for example in network segmentation? What do you think will be added? Are there new product features on your side? Tell us as far as you can.

Peter

With 5G and the new standards it will become even more exciting. There are improvements in data integrity. For physical security 5G networks bring capabilities where the network itself serves as a sensor. Changes in the electromagnetic waves, for example when a person enters a room, can be detected and used in use cases. There are also initiatives that use the SIM card as a secure element for applications. Certificates can be stored on the SIM and their lifecycle can be managed there. On top of that there is network slicing. The 5G network can be partitioned for multiple applications, security requirements can be considered separately, and the quality and reliability of communication can be ensured deliberately. There is a lot coming. We are looking at it and talking to customers who need it.

That sounds like another episode where we can go deeper. Thank you for your time and the insights. Schöne Grüße und eine gute Restwoche an euch. Take care, bye.