LPWANS: A Hidden IoT Security Risk

Make sure your company is not caught off-guard by low-power wide-area networks in corporate environments.
Published: December 10, 2017

Interest in low-power wide-area networks (LPWANs) among Internet of Things (IoT) providers and end users is skyrocketing. LPWAN towers are popping up all over because they can connect devices across large geographic areas due to their long range, while using less battery power on the devices they connect, and offering cheaper data subscriptions than traditional cellular networks.

In fact, BI Intelligence estimates that the number of IoT devices connected via LPWANs will reach 700 million by 2021, which it says represents “remarkable growth for such a new technology that has little present adoption.” Such rapid adoption will not come without challenges. The biggest of these is security. Security personnel have visibility and control on their own network, but lose this when devices communicate via a third-party network, such as an LPWAN. In all probability, these networks already permeate your organization. The question is whether any devices are already deployed that use these networks.

That being said, here are several tips on what chief strategy officers and others can do to prepare for the growing popularity of lower-power and cheaper data connections finding their way into their organizations.

• Manage the risk: Update your organizations threat model. Take into account small, out-of-band sensor technologies and identify the risks they could pose to your organization.

• Increase your visibility: Use your people, processes and technology within the organization to detect LPWAN devices before they become a problem. You can’t tactically respond to a threat if you are unaware of it. Deploy a wireless discovery and mapping platform to identify devices inside your organization. Modify your procurement policies to ensure qualified security staff check for LPWAN antennas present in new devices before they enter the facility. In addition, understand what sensors are present on each device and whether they introduce new risks to your environment. Assume an attacker could take full control of a device, and decide what a malicious device could do where it is deployed. Finally, educate your personnel on the risks posed by these devices. Use your threat model for specific examples if they are not too sensitive. Teach them to identify and report unknown devices.

• Limit your exposure: For high-assurance areas, limit the electronics allowed in the vicinity. For new electronic devices, have them evaluated to understand what antennas are present on the device and whether they match the documented components.

• Pick a trustworthy provider: An LPWAN network provider is similar to a cloud provider. Your security is dependent on their security. A provider will run the network using a standard protocol, such as NB-IoT or Sigfox. However, there are optional security features each protocol provides that the network provider may or may not be using. Some of the security tradeoffs are discussed in this article. The provider is also responsible for protecting the data on its platform. Ensure that it has the proper controls and policies that meet your company’s requirements. Pay special attention to data-ownership rights and retention policies.

LPWAN devices will be physically present in corporate environments within the next few years. Preparing for them now will ensure your company is not caught off-guard.

As the chief technology officer at Kudelski Security, Andrew Howard is responsible for the evolution, development and delivery of the organization’s technology strategy and solution architecture, including selecting and validating third-party technologies and managing research, development and labs. Prior to joining Kudelski Security, Andrew was a laboratory director at Georgia Tech, spearheading the university’s information security research and advisory programs. He has served as advisor on emerging security threats to Fortune 250 CISOs and government bodies and has extensive experience as a security architect, strategist and technical leader. Andrew has an MBA in management of technology and a master’s degree in information security from the Georgia Institute of Technology, and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).