Service Provider

Protecting Against Narrowband IoT Security Risks

August 1, 2019 — by Eyal Yaron0


Narrowband internet of things (NB-IoT) is a low power wide area network (LPWAN) radio technology standard developed by the 3rd-Generation Partner Project (3GPP) to enable a wide range of cellular devices and services. 

NB-IoT focuses on low cost, long battery life and high connection density. NB-IoT uses a subset of the long-term evolution (LTE) standard but limits the bandwidth to a single narrowband of 200kHz.  In March 2019, the Global mobile Suppliers Association (GSA) announced that over 100 operators have deployed/launched either NB-IoT or long-term evolution for machines (LTE-M) networks.

NB-IoT Security Risks

The NB-IoT network design enables efficient connectivity of mass numbers of connected user equipment (UE), reducing the network overhead associated with every connection request. The new design encapsulates the required data payload (as telemetry data) into the signaling link connection, reducing the need of opening a dedicated bearer (i.e., GTP tunnel) for every single small amount of metering information sent from the network.

The network devices connected over the NB-IoT network are manufactured at a very low cost and can run up to 10 years on a pre-installed battery. The NB-IoT devices serve as sensors or remote telemetry units and are controlled by external services — IoT platforms — that schedule their activity and manage their life cycle through operational control and remote software updates. A single UE on NB-IoT has a very low network footprint and is not a major security risk on its own.

[You may also like: IoT Expands the Botnet Universe]

The risks hidden in NB-IoT devices come from their scale. There is a strong potential for orchestrating denial-of-service (DoS) attacks by harnessing a cluster of devices to send unplanned communication toward designated victims. Such communication can not only cause service interruption on the victims’ servers but also can impact the service provider network and result in service degradation due to a signaling load preventing other non-infected devices from sending their telemetry data or failing to respond to their control requests.

NB-IoT Risks and the IoT Service Economy

The IoT services offered by a service provider are challenged by a very low income per connection compared with regular service plans. We can see examples of IoT connectivity sold at $1 per month, whereby the price point aims to address a market potential of 3.5 billion cellular IoT connections by 2025, including 1.9 billion licensed LPWA connections.

[You may also like: Securing the Customer Experience for 5G and IoT]

With such an aggressive price per connection, service providers require careful selection of technologies that will impact the operating costs per connection. Although security is an important factor in the overall capital investment, the challenging economy of IoT network connectivity prices is also a huge consideration.

Protecting Against NB-IoT Risk

When service providers approach the task of planning a solution to help protect against NB-IoT risks in the network, they face several design questions:

  • Should they track individual device operational metrics just to understand when a single device changes its regular behavior?
  • How do they define, and should they define, what is “regular” device behavior? How do they measure the behavior of an individual device compared to a group of devices?
  • Can they incorporate such massive data processing tasks in the low-compute footprint (and cost structure) that business economics dictates?
  • Can they avoid detecting legitimate communication as malicious traffic?
  • Can they eliminate the additional staff work required to maintain and operate such a solution?

[You may also like: Consolidation in Consumer Products: Could it Solve the IoT Security Issues?]

The above challenges can be realized with the following solution requirements:

  • A system based on self-learning of the behavior of NB-IoT devices
  • A solution that reuses existing telemetry streams
  • A software-based, low footprint, distributed solution that allows cost-effective, network-wide deployments
  • A solution based on automated flows in response to security event detection
  • Integration with the existing service provider’s network infrastructure security such as DoS protection and web application firewalls (WAFs)

Even with the best day-one network authentication in place and rigorous IoT-type approval processes managed by the carrier, there will always be unavoidable risks. So much so that such large-scale and varied IoT device communities will become a security liability and a cause of major service interruptions — not only to the compromised IoT devices and services owners, but also to the rest of the customers using the same network resources.

In the competitive economy of mobile carriers, such risks should be avoided before detrimental effects reach beyond the network’s performance and health and result in other negative business consequences.

[You may also like: Don’t Be A “Dumb” Carrier]

Solutions for such IoT risks can be designed and deployed as an overlay solution on top of existing network infrastructure without considerable effort, which will ultimately help the service provider realize new revenue streams while providing peace of mind for its enterprise customers.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

Service Provider

Network Slicing: Not As Dicey As You Might Think!

May 30, 2019 — by Eyal Yaron0


Every now and again, we hear a new technical term that requires a cursory Google search to make sure we are current with the times. Sometimes new terms are just recycling old concepts. Right now “Network Slicing” is en vogue, promising to help enable the evolution of modern networks. 

At its core, it involves the ability to run multiple virtual networks across a shared physical infrastructure – essentially a separation of data plane and control plane. We have seen these before, for example in Software Defined Networking (SDN) and Network Functions Virtualization (NFV), both of which are inextricably linked to network slicing. Although often used concurrently in 5G discussions, network slicing is, in fact, an architecture paradigm that can exist outside of 5G and provide immense value for service providers in terms of efficient implementation of value-added services that can be monetized as revenue.

[You may also like: 5G: You Can Have Your Slice and Security Too!]

Dedicated Virtual Networks

Network slicing aims to isolate specific application traffic into a dedicated virtual network, whereby each slice carries specific application traffic such as IoT Telemetry or Automotive. Having an isolated virtual network enables different use cases to have unique network characteristics to a diverse end-user community. It also provides an opportunity to match allocated resources for the slice to expected usage patterns and specific value-points of the end-user services.

An example of a slicing application is telemetry sensors. Telemetry sensors that are required to send data every 12 hours may settle for high latency values, low bandwidth, and centralized compute services in the cloud. An industrial IoT which controls the manufacturing floor will require low latency and local compute with high-bandwidth at the far edge. In this case, building a network which is required to share both of the services will not be efficient and will create unbalanced costs. Imagine if you had to build an 8 lane high-way and let bicyclists ride it occasionally!

[You may also like: 5G Security in an API-Driven Economy]

Cyclists vs. Autos

But with network slicing, the service provider can offer a different connectivity based on a dedicated slice, which ensures the service offerings do not overlap. In our example, that would be one road crafted only for cyclists and a different road for autos. Having a dedicated slice (e.g. road) can keep costs and expected revenues better aligned; for example, we assume in our analogy that a truck driver will pay more compared to a motorcyclist.

With respect to slicing implemented around the topic of network security in particular, service providers can offer a security posture that gives them the best chance to keep costs in check while keeping the network safe and affordable to operate. 

For more information on this, come hear Radware’s Eyal Yaron speak at 5G World Congress in ExCeL, London on June 12. Details for Eyal’s panel can be found here.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

Service Provider

The Necessary Burden of 5G Security

May 14, 2019 — by Eyal Yaron0


Today’s infrastructure threats will have major impacts on tomorrow’s 5G commercial networks. 5G network slicing, virtualization and disaggregation introduce new levels of complexity to network security, requiring a high-level of automation in security on-boarding, scale-out and attack mitigation.

5G security is absolutely required to be thought about in a Day 1 network build and ‘weaved’ into the network architecture. Otherwise, the immense job of re-architecting the network afterward will be a cost-prohibitive exercise.

Service providers are faced with a necessary burden of managing security threats in the 5G network.

Your ‘Typical’ Security Solution

A typical network security solution will include several security elements, such as firewalls, DDoS protection devices, IPS/IDS, etc. Each system may require its own domain expertise when it comes to proper configuration and tuning. When a carrier-grade network slice is under attack, dedicated expertise is required for handling changes and setting the proper mitigation actions. With the new paradigm of 5G network slicing coming onto the scene in a highly distributed network, carrier security teams will be challenged.

[You may also like: 5G: You Can Have Your Slice and Security Too!]

Service providers are already in a precarious position of creating healthy profit margins with the onslaught of over-the-top data and video traversing their networks. New revenue streams are tough to come by, and so the other lever available to influence margins is cost control. However, the cost economics do not scale well when contemplating an increase in security staff to prepare for 5G. The new attack vectors are just too complex and too high in volume to adequately address with a bloated Security Operations Center (SOC) of just human oversight and management. 

Stronger Visibility

What makes more sense is adoption of a comprehensive security solution used across all network slices to benefit from ease of management and SOC skill sets.

Vendor technology designed around the concept of self-learning with respect to threat detection not heavily dependent on pre-configured rules is the ideal toolkit for service providers. Minimal setup and configuration lower the overall carrier security team effort around system operation. Now, instead of manual provisioning and troubleshooting, the SOC specialist can look at a dashboard to see what was detected by the system and what mitigation actions took place to defend against malicious threats to the system.  This yields strong visibility into network security threats across all network functions and slices.

[You may also like: Here’s How Carriers Can Differentiate Their Offerings]

In the new 5G security play, the various security functions are on-boarded per slice in alignment to the required network capabilities and desired distribution. The total investment in security computing resources and licenses aligned with the network slice investment allowing carrier better control on the risks and the costs associated with specific network slice.

Automated attack mitigation capabilities provide the security team with ‘peace of mind’ that all ‘war time’ actions are taken care of in automated manner with no manual intervention by security administrators. 

So although 5G carries with it very challenging security issues, service providers can be proactive in creating a security posture that gives them the best chance to keep costs in check while keeping the network safe.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now