Cellular IoT device security–Why the right vendor strategy is important (Analyst Angle)
In my previous articles here, and here, I explained the rationale for increased focus on device security and its challenges. The threats are more acute, especially from unknown foreign vendors offering predatory pricing. After reading the articles, a few people questioned me about the ills of such a situation and even suggested that the fierce competition will keep the pricing low and vendors in check. In this article, I will explore whether such short-term thinking will help or hurt the industry in the long-term and examine some what-if scenarios. I will also draw parallels to some historical lessons, and finally, offer suggestions on how the IoT ecosystem could protect itself.
Learning from history
The best parallel to what is happening in the IoT vendors space is the situation of American and European cellular Infrastructure vendors during the 3G transition, in the late 90s and early 2000s. I vividly remember it because I was amidst all of it, working for one such company. The world was slowly moving from 2G to 3G. The infra behemoths mostly from US and European companies, including, Lucent, Motorola, Nortel, Nokia, Siemens, Alcatel, and others were trying to get their customers to move to 3G quickly. However, they soon faced unprecedented headwinds from unknown Chinese companies named Huawei and ZTE, offering extremely low pricing. It was alleged that their low pricing was not only because of their lower cost but also more importantly because of the support from their governments. American and European vendors, confident because of their decades of heritage and experience, never took these players seriously. But alas, because of the dot com bust, and intense price pressure, many of those behemoths folded in no time. Others cobbled together to survive, but as a much smaller shadow of their former self. Only two among them remain in business, that too largely because of the US market where Chinese vendors are not allowed. From the ecosystem perspective, there are far fewer choices of vendors globally, and even fewer in the US.
So, what can we learn from this harrowing experience? Well, simply making decisions on cost alone might be very attractive in the short run, but might have negative long-term consequences. Once the landscape changes, it cannot be put back.
Perils of inaction now
If this practice of offering artificially low prices on IoT devices and modules because of Chinese government subsidies goes unchecked, none of the non-Chinese vendors can sustain low margins and will edge towards bankruptcy or exit the market. Very soon, there would be anybody of repute left.
In such a situation, the IoT needs of critical infrastructures such as power grid, smart cities, installations of national security, and others, will not have any option but to rely on unknown suppliers without any proven track record or reputation. The case would be similar for large enterprises, industrial complexes, and such where IoT devices are a basic staple. The confidence in the security of IoT devices should be unquestionable and not even up for debate. Consider 5G Massive IoT, which will build on the solid foundation of 4G IoT. Additionally, going forward sharing of spectrum between defense and civilian cellular networks is going to be the norm. An early example of such an arrangement is CBRS, which allows sharing of spectrum between the US Navy and cellular operators. Any security breach in such deployments could expose the critical military operations for sabotage. These include radar and satellite communication systems.
Generally, there are risks with relying on a group of suppliers all coming from the same region/country. What if, trade wars flare up, resulting in high tariffs, or even worse, import/export bans, similar to the recent US ban of Huawei? In such a case, the whole critical infrastructure could come to a screeching halt — also, such vulnerability provides a huge advantage to the foreign country in any trade negotiations.
Many of the Chinese vendors are very small without any public, reliable information on their background, ownership, business, objectives, or motives. What if they plan to conquer the market now with low pricing, and increase prices exorbitantly soon after all the competition has diminished? Even worse, what if they had ulterior motives? No matter how much these companies vouch for their authenticity and business objectives, unless they can open themselves for close scrutiny or better yet, list on some of the reputed stock exchanges in the US or Europe, it is extremely hard to be convinced of their authenticity. If you consider the headwinds that Huawei is facing, even with its significant brand recognition, the path for unknow IoT companies will be even harder, if not virtually impossible.
How to ensure device security
Historically, utilities and many critical national infrastructure providers have been very conservative in their vendor selection. They make their vendors go through an extreme, multi-level vetting process, covering both technical as well as financial viability. They should continue this practice and include evaluation of overall ecosystem health, long-term impacts, and diversity of suppliers. Private enterprises should get the cue from them and be very careful in their vendor selection as well. The assessment should also include import bans, trade wars, and other such unlike yet catastrophic considerations.
The IoT users should evaluate the lifetime cost of ownership of their IoT devices, instead of just the initial cost. IoT devices typically have a very long life, extending ten years in some cases. During such a long time, the cost of maintenance, timely upgrades, quick fixing of security flaws exceeds the original procurement cost of the device. Additionally, these institutions should examine and understand the motivation behind predatory pricing and act with a long-term point of view.
As a last resort, the government and regulators should look at putting safeguards in place for procurement of critical infrastructure. The focus should not just be on the network, but equally, if not more on the devices as well. For example, the US government banned some vendors from supplying cellular network infrastructure. There could be a case be made for similar safeguard for devices for critical uses as well.
The biggest step the IoT users, be it government agencies or private enterprises, can take is to make sure to create an environment to nurture diverse, strong, reputable, and reliable players who value security.