Blog Series:
UNDERSTANDING THE EVOLVING CELLULAR
IOT SECURITY LANDSCAPE & REQUIREMENTS

As part of a quarterly blog series dedicated to addressing security within cellular IoT connectivity, Kaleido examines the evolving threat landscape, customer challenges and solution approaches being implemented to keep companies secure as digital transformation takes hold.

The Rising Need for Solutions to Combat
Cellular IoT Security Threats

It was interesting to note that at Mobile World Congress 2024, there was relatively little discussion covering regulation, compliance and security for IoT. Security is typically found high up in the list of priorities for potential IoT customers, yet today, relatively few cellular IoT connectivity providers on the market can offer solutions that put the customer in control of its security implementation. Importantly, governments and enterprises have recognised the potential risks attached to IoT device deployments, which has accelerated the development of regulation, best practice frameworks, and market demand for tooling on the customer side.

Regulation and Compliance Take Centre Stage

The current regulatory landscape is characterised by a patchwork of laws, regulations, and industry standards governing cybersecurity across various jurisdictions and sectors. From the General Data Protection Regulation (GDPR) in Europe to the California Consumer Privacy Act (CCPA) in the United States, organisations face a myriad of compliance requirements aimed at protecting the privacy and security of personal data. Additionally, industry-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in healthcare and the Payment Card Industry Data Security Standard (PCI DSS) in financial services, impose additional obligations on organisations to secure sensitive information and prevent data breaches. Recently, the NIST Cybersecurity Framework 2.0 was published, and offers organisations an invaluable tool for cybersecurity and compliance management. The latest edition is intended for all organisations, and not just those in critical infrastructure segments as in the framework’s previous edition, thus serving as a driver towards greater application of security best practices within companies reliant on initiatives such as IoT.

Blog Author
Steffen2
Steffen Sorrell
Chief of Research

The new and enhanced regulatory environment which includes fines and liabilities is forcing companies to take a more proactive risk management approach so they can identify potential threats before they escalate into cyber incidents. In 2024, it is expected to see further regulation and activity in six main areas: Resilience, Reporting, Responsibility, Privacy, Standards, and Artificial Intelligence.

Growing Importance of IoT and Cellular IoT Security

The expansion of IoT brings with it a host of security challenges, especially in the cellular IoT domain. The diversity and large scale of IoT devices as well as the fact that they are exposed out-of-perimeter, make them attractive targets for cyberattacks, and their interconnected nature can lead to widespread vulnerabilities.

The challenge in securing cellular IoT networks lies in the unique paradox that the data owner is the connected organisation, while the network owner is the operator. This paradox challenges organisations that want to implement cybersecurity best practices to meet regulations and protect themselves against liability in case of a data breach or any other event. Solving the cellular IoT paradox will significantly increase organisations’ adoption rate of cellular IoT networks.

You Cannot Protect What You Cannot See

Historically, the mobile network has been opaque to the end customer. MNOs own the network infrastructure which enables connectivity, and have not traditionally exposed detailed traffic information to enterprise customers. Therefore, IoT cybersecurity visibility among enterprises has traditionally been limited to the back-end services to which devices are connected: should rogue devices communicate with unauthorised servers or devices, this activity would not normally be visible. On the CSP side, and even among MNOs, there is often limited visibility into the types of IoT devices operating on networks (particularly in a roaming context), which naturally impacts how they should be observed and analysed in a cybersecurity context.

Despite the existence of regulations and compliance requirements surrounding IoT, very few CSPs currently provide their customers with insight into connected asset activity and behaviour in the realm of cybersecurity: in a 2023 Kaleido Intelligence analysis of 28 leading cellular IoT Connectivity Management platforms on the market, only 3 platforms identified were capable of detecting malicious device behaviour on the network and providing that information to customers, beyond the typical alerts based on device data over- or under-consumption.

It is evident that a gap remains in the market where addressing IoT cybersecurity challenges is concerned. However, we have recently witnessed leading CSPs joining forces with technology innovation companies to deliver enhanced visibility and security to enterprises across the cellular IoT network.

Figure 1: Proportion of Cellular IoT Connectivity Management Platforms, offering Cybersecurity Threat Tooling,
Kaleido Intelligence Connectivity Vendor Hub 2023

Today, any security-conscious enterprise has solutions in place to monitor assets within its IT or OT network, detect threats, mitigate them, and report on how risk is managed with relevant stakeholders. The addition of tools to support this same capability across the mobile network, close the visibility gap and enable enterprises to control threat management will inevitably add value to those same players, as well as help play a role in solidifying cellular technology as a strong solution for high-security IoT.

Your Security Strategy

Interested in positioning your security strategy for success? Access our “Mobile Network Fraud & Security: 2023 Outlook” report, offering a comprehensive analysis of the mobile telecom fraud and security landscape.

Get in Touch

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.