Securely Unleashing

the endless
possibilities of
IOT

Internet Of Things
Internet Of Things

CONTENTS

Executive Summary 3
Why Telefónica 4
Security Becomes ever more Paramount 6
The Telco Approach: A model for securing 11
the IoT Ecosystem
Telefónica’s IoT Security Value Proposition 17
Conclusion 26
Gartner Research 27
Internet Of Things
“…endless
Executive
summary
The term Internet of Things (IoT) has become a
buzzword in recent years, sharing the limelight
with other technologies that are enabling the
digital transformation across every aspect of our
lives. Despite its novelty, IoT has grown faster than
any previous communication technology, and
associated challenges and learnings have emerged
at that same speed. This had led to a rapid general
awareness of security as a priority for main
IoT players.
possibilities that
it can bring to
improve our lives.”
An outline of the current status of IoT opens this
report. We will then present our specific approach
model and value proposition for IoT security. This
is underpinned by three key pillars, and is delivered
with a portfolio of core security capabilities and
cybersecurity services. Given that connectivity
is present through the entire IoT journey, we
address security issues as a whole, following a
comprehensive approach to deliver end-to-end IoT
security propositions to our customers.
 Internet Of Things

WHY Telefónica?
THREE KEY PILLARS UNDERPIN OUR IOT SECURITY VALUE PROPOSITION:

Leveraging the network and platforms

Mobile Network Operators (MNO) have native advantages for providing security to the
IoT ecosystem. At Telefónica, we have developed the Kite Platform, which runs over the
network infrastructure and leverages its core capabilities. It is a managed connectivity
platform that improves customers’ productivity and connectivity cost management, and
increases security for their IoT deployments.

A comprehensive Nobody can do it

portfolio to
deliver E2E security
propositions
IoT services share all the security challenges
that traditional IT services have and add new
ones derived from the specific limitations
of IoT devices. Therefore, offering an E2E
security proposition for IoT requires a
comprehensive portfolio that includes:
• Security products, that can be deployed
within the infrastructure and whose
operation is based on repetitive and
procedural tasks that can be performed
by traditional Security Operation Center
(SOC) teams.
alone; a robust
partnership network
is essential
The IoT is a fast moving, rapidly evolving
ecosystem that opens up a wide range of
new opportunities. In just a few years, it has
evolved from a machine-to-machine (M2M)
paradigm focused on B2B and vertical use
cases, to a smart environment with millions
of cellular connections, an emerging B2C
application and an increasing range of
standard definitions. The future seems
to be even more complex, with billions of
connections and thousands of applications
on B2B, B2C and B2B2C.

• Cybersecurity services, where the key This environment of constant change,

element is the team, which is composed
of highly skilled cybersecurity specialists.
• Consulting services, that can provide
support during the pre-sales stage to
understand the specific needs of the
customer and build the right proposal,
combining the P&S of the previous
two bullets.
together with the extremely long IoT
ecosystem value chain makes matching
security requirements an impossible
task for a single company. Therefore, it is
crucial to create an active and dynamic
partnership ecosystem that can attract
talent, technology and investment to face
this challenging environment.
Internet Of Things

From measuring This scenario reveals endless possibilities for

improving internal business efficiencies, delivering

to rethinking better customer experiences, building new services,

and transforming business models.

reality, IoT is a Unleashing the full potential of any of these

journey full of
business opportunities requires a smart
combination of a multidisciplinary set of

possibilities
technologies. In fact, according to social media
analyst company ZK Research, we are living in
the middle of a “perfect storm”, similar to the one
that kicked off the internet era, and that is now
The IoT represents a very broad concept that driving the growth of the IoT. It consists of several
includes any network of devices, such as vehicles, factors: digital transformation; low-cost sensors;
home appliances, electric or water meters, and standardization to Internet Protocol; the growth
other items that communicate across the internet of Big Data; the rise of social media; and
without human intervention. These devices Cloud Computing.
share information collected from sensors, or
send commands to actuators that are close to or
embedded on them.
Gartner estimates there will be approximately
20 billion connected IoT devices by 2020; others
project much higher numbers. In the near future,
this vast number of devices will surround us,
collecting data about our different activities and
interacting seamlessly with us.

“Gartner estimates
there will be
approximately 20
billion connected
IoT devices by
2020; others
project much
higher numbers.”

*Source: Gartner, Address Cybersecurity Challenges Proactively to Ensure Success With

Outsourced IoT Initiatives, DD Mishra, Earl Perkins, Stephanie Stoudt-Hansen, 5 June 2018
Internet Of Things

Security becomes
ever more paramount

“…complex
due to lack of
standardisation
across the devices...”
From improving the efficiency of a business to The IoT journey spans across many different areas,
opening up new business opportunities, the and whilst each of these has its own particular
advantages of embracing the IoT are so huge features to be specifically analysed, they all share
that every company or sector will benefit from a key commonality: the need to provide network
its adoption sooner or later. As more and more connectivity to the devices, with IoT platforms
companies base their businesses on the IoT that process sent information and enforce applied
infrastructure, security becomes ever more actions. This constant presence enables Telefónica
paramount. At the same time, the growing presence to look at the big picture and wider approaches to
of IoT will also increase the awareness of security the IoT security issue as a whole, filling the gaps
needs, and will boost the development of tools and between the specialists at every step of
solutions from every aspect of the world of IoT. the journey.
The rapid growth of IoT will also be reflected in the
evolution of security. This has happened many
times before, such as when the expansion of the
automotive industry instigated the transformation
of roads into safer motorways.
Internet Of Things
Key aspects in
securing IoT
services
With every new technology there are new challenges, monitor and maintain such a high number of
largely due to the great number of players involved
at each stage of progression. As the new technology
is adopted by more and more users, the offering
becomes clearer and the remaining products and
services are those that give the best, most reliable
experience at every level. Within the IoT environment Connecting devices that have not been connected
the maturity of products and services is increasing
every day. IoT designers, developers and users now
fully understand which objectives are critical for mass provide security mechanisms that are able to respond
adoption, and the whole IoT industry is advancing in
the same direction.
Reduce diversity
There are many diverse IoT devices available and
most of them have different hardware, firmware,
operating systems and other needs to be addressed.
Much effort is currently being directed towards
improving compatibility and standardization
across the devices.
New long-life batteries
specific for IoT devices
Devices with limited CPU or battery life may face
difficulties running certain processes. Being able to
process huge amounts of data in real time is also an
issue to consider, as well as how to manage,
heterogeneous devices.
Ensuring device
authentication
before reveals that they were not designed with
security in mind. It is vital that device manufacturers
quickly to incidents and, at the same time, have
resilient capabilities to overcome them. Finally, many
of these devices have long life cycles, ranging from 15
to 20 years, and require designs and procedures that
ensure maximum security during the whole lifetime.
Therefore, a redefinition of basics will lead to a more
secure IoT landscape. Most of what is required –
such as edge protection, proper identity, access
management mechanisms and data protection – is
similar to traditional IT security, but needs rethinking
and adapting.
Internet Of Things
LEARNING FROM
THE BEGINNING
The uprising of a new technology opens up the
doors for a world of possibilities that expands at
every use. This first “big bang” moves so fast that
some may find security breaches, but within the
digital environment there is a common global
awareness about security issues from the acquired
experience with previous IT developments.
Therefore, learnings have been rapidly adopted by
main IoT providers since the very first incidents.
Cybersecurity is now undoubtedly considered as a
key aspect for any IoT device or solution from the
very beginning.
Software providers must be
thoroughly chosen
Connected cars are governed by software code
just like computers or smartphones connected to
the internet. Hence, they require similar security
mechanisms and should be updated and protected
to avoid exposing vulnerabilities that might have
catastrophic consequences. In many cases this
software is supplied by the car’s manufacturer,
which means that software providers must be
considered in their supply chain risk management
as thoroughly as any other provider.
Keeping this in mind is key to neutralising attacks
such as the one in 2015, when security analysts
were able to remotely control a car by exploiting
a zero-day vulnerability. They were able to hack
the entertainment system that runs on a Linux
operating system, as had already been shown
in other car models. In this case, they were also
able to send commands that performed different
actions, such as beeping the horn, pulling the seat
belt or even disabling the brakes. They accessed
many of these on-board components via the CAN
bus, the internal network of the car that controls
many of the components electrically, thus giving
them control of the multimedia system.
“Cybersecurity is
now undoubtedly
considered as a key
aspect for any IoT
device or solution…”
Internet Of Things

Internet connected devices
require the same security
controls as any PC
or smartphone
Some devices, such as IP cameras, are based on
operating systems that are no different from that
of a traditional computer or smartphone, and
therefore have similar security requirements.
In the connected PC era, automatic software and
antivirus updates have become essential security
tools and mechanisms; their introduction marked
relevant changes in the dominant operating
systems and the birth of free antivirus software.
Since the IoT device market is still fragmented,
these solutions are tougher to apply, but are even
more necessary.
Efficient security controls were not in place in 2016
when the self-propagating Mirai botnet infected
devices using a procedure as simple and common
as default credentials testing. The attack was
addressed to Dyn, one of the most important DNS
hosts at the time. It affected sites such as Twitter,
Spotify and Github, rendering them unavailable
for several hours. Mirai botnet had been specially
designed to target IoT devices using two main
components. On the one hand, it had a scanner
that continually searched for new IoT devices to be
compromised. On the other hand, its command and
control center sent instructions to launch attacks
against victims.

“affected sites
such as Twitter,
Spotify and Github,
rendering them
unavailable for
several hours...”
Internet Of Things
When connected to the
internet, no device
can be ignored
A system or infrastructure is only as secure as its
weakest link. We cannot ignore devices that seem
irrelevant to the business if they are connected to
the internet. A seemingly innocuous device can be
the gateway for cyber-attackers.
Take a thermometer, for instance. After hacking
the internet-connected thermometer of a fish
tank, cybercriminals were able to access the
manufacturer’s entire corporate network from the
device and infiltrate its customer database.
The main learning from these three cases is that
security needs for IoT are no different to traditional
security needs. Although the IoT has particular
features that will require ad hoc solutions, IoT
service ecosystems share Cloud infrastructures,
and a complete E2E package will require adding
some traditional solutions in order to provide
comprehensive security proposals.
We have not reduced our daily use of the internet
or the smartphone for security reasons; rather, we
have strengthened our defences and remain vigilant.
The immense possibilities of IoT are an even greater
incentive to keep progressing in this way.
Internet Of Things

The TELCO
approach:
A model for securing
the IoT ecosystem

Although it is generally accepted that an in-depth

security analysis requires consideration of each
specific vertical, it is possible to define a horizontal
model to set the common framework for the IoT
paradigm. Figure 1 represents an IoT model based
on the one proposed by the GSMA. The architecture
of IoT services can be generally represented with
three key groups of components: endpoints,
networks, and platforms.

IoT SPECIFIC SECURITY CHALLENGES TRADITIONAL IT SECURITY

Must address the IoT scale and limitations Known field but must be done properly

Devices Networks and Managed Platforms and

connectivity Applications

ENDPOINT NETWORK BASED SERVICE PLATFORMS

SECURITY
• Limited resources
• Remote operation
• Long life cycles
SECURITY
We can leverage on the networks
to reduce complexity on the
endpoint and secure its integration
with the service platform
SECURITY
• Diversity of platforms
• ElevenPaths product
portfolio and capabilities

Figure 1. IoT security model

Internet Of Things

The endpoint
ecosystem
The endpoints – which are the IoT devices – are usually geographically dispersed and fundamentally send
information from the sensors to the platform that enforces the requested actions. From a security perspective,
the endpoints have some key limiting features that must be considered:
• They have limited processing and battery resources, • These devices also have long life cycles that can
which makes adding security capabilities (such as reach up to 10 years, and require specific security
data encryption) more challenging. mechanisms and procedures to ensure resiliency of
the IoT infrastructure.
• In most cases they must be remotely operated
due to geographical dispersion, which requires However, there is also another feature that represents
secure mechanisms for remote monitoring and an advantage from a security perspective. Unlike
management. multipurpose devices, such as smartphones and
computers that can host a wide range of applications
• Most endpoints are physically accessible to an
with different communication patterns, IoT devices
attacker. This means they require secure designs
tend to focus on very specific applications. This
that protect the devices from
physical manipulation. simplifies the profiling of the device and, hence,
the detection of anomalous activity.
Internet Of Things

“…which forces
developers and
engineers to define
different security
mechanisms…”
The IoT service
ecosystem
On the other side of the model we have platforms,
Google Cloud Platforms, IBM Bluemix, and Microsoft
which can be both in the Cloud or on-premise, and
Azure. Apart from the diversity among them, which
have many additional features and capabilities
forces developers and engineers to define different
to facilitate the interaction with IoT devices and
security mechanisms, there are few security
the development of services. Currently, there is
mechanisms that leverage network capabilities for IoT
a great diversity of Cloud platforms, whose main
infrastructures. Reinforcing these could simplify and
representatives are Amazon Web Services (AWS),
enhance their implementation and configuration.
Internet Of Things
Networks and
managed
connectivity
This is where MNO can provide a key differential
value. Communication network components are
inherent to IoT, and they are built over standards
(e.g. Long-Term Evolution (LTE)), where ‘security
by design’ has been a key principle. Both facts set
a strong foundation for enabling MNO as providers
of compelling E2E security propositions that extend
their core security capabilities. Some of the key
security features required for IoT are:
Identification and
authentication of the devices
involved in the IoT service
Within a cellular connected IoT service, endpoints
are identified using IMSI and/or IME that is currently
used for managing device connectivity. Building on
this, device identity management from platform
access can also be provided (e.g. using digital
certificates), simplifying device management not
just at a network connectivity level but also at an IoT
service level.
Internet Of Things
Access control for the
different devices that need to
be connected to create the IoT
service
Current managed connectivity platforms enable
IoT service providers to set controls over endpoints,
such as device whitelisting (for blocking SIM
cards that are inserted into a device whose IMEI
is not included on the list) or SMS origin number
whitelisting. By adding device identity management
for the IoT service ecosystem, the controls can be
extended to the service layer.
“...network operators
Data protection to guarantee
the security (confidentiality,
integrity, availability,
authenticity) and privacy
of the information carried
by the network for the IoT
service
Network operators traditionally provide public
telecommunications infrastructure or a mixture of
public and private network infrastructure. Many
network operators can ensure that the customer/
user data that transits their public network
infrastructure is encrypted between the point that
the data enters the public network infrastructure
and the point that it leaves the network. If required,
network operators can also assist IoT service
providers to deploy or derive their own encryption
credentials to also guarantee data protection.
can also assist IoT
service providers
to deploy or derive
their own encryption
credentials...”
Internet Of Things
“...applying filtering
Processes and mechanisms
to guarantee availability
of network resources and
protect them against attack
For some applications, such as e-health and critical
infrastructures, communications availability
can be a critical issue, as we saw in the Learning
from the beginning section of this report. This is
an increasing concern as the number of “things”
connected via the internet continues to grow, and it
is crucial to test that these devices do not have any
vulnerabilities or insecure configurations that may
be subject to undesired attacks. Network operators
already have services that can prevent and mitigate
these attacks and their consequences by applying
filtering mechanisms to filter out attack traffic and
deliver only clean traffic.
mechanisms to weed
out attack traffic and
deliver only clean
traffic.”
Communications monitoring
and analytics for detecting
anomalous activity
The devices in an IoT ecosystem tend to be
purpose-specific, which facilitates their profiling.
In addition, unlike devices and back-end services
in Cloud platforms, network traffic evidences are
not easy to tamper with. As a result, techniques
applying machine learning for profiling devices and
detecting anomalous behavior for signs of security
incidents are key security features that network
operators can add to their proposals.
Internet Of Things

Telefónica’s IoT
security value
proposition
Three key pillars underpin
our IoT security value
proposition:
• Leveraging the network and platforms built over
network capabilities
• Managing a comprehensive security portfolio to
deliver E2E propositions
• Building a strong partnership ecosystem to deliver
compelling propositions

“…comprehensive
security portfolio
to deliver E2E
propositions.”
Internet Of Things
Leveraging the network
and platforms
MNO have native advantages for providing security
to the IoT ecosystem. Typical security requirements
such as network availability, data encryption or
device authentication have been embedded into
Telco’s networks for decades, which makes cellular
networks highly reliable. Among these security
requirements, there are two that are particularly
relevant for IoT security:
• Mutual authentication between the devices and
the network. This is based on a trusted hardware
(SIM card), which enables a secure and reliable
communication channel between devices and the
core network.
• Strong over-the-air (OTA) encryption (128 bits key
AES-like in LTE) and integrity assurance. This is a
key component for delivering device credentials
through a secure channel and also providing mutual
authentication between devices and
Cloud platforms.
Complementing these core capabilities, the
following network-based features and services
set a differential proposal for MNO:
• Virtual private networks (VPN) – MPLS or IPSEC,
depending on the project specifics – in order
to secure and isolate the communication from
devices to the customer data platform.
• A private Access Point Name (APN) per customer
to isolate devices from the internet. This prevents
them from being accessible through a public IP,
being port-scanned or appearing in databases of
devices that can be reached through the internet,
such as the Shodan database.
• Capabilities for detecting suspicious network
activity. As IoT devices can be easily tampered
with, either physically or remotely, network-
based detection can provide an additional
protection by detecting suspicious activity.
Internet Of Things
“…managed
connectivity
platform that
improves customers’
productivity and
connectivity cost
management...”
Kite Platform
We have developed the Kite Platform, which runs
over the network infrastructure and leverages its
core capabilities. Kite is our foundational component
of our IoT value proposition. It is a managed
connectivity platform that improves customers’
productivity and connectivity cost management, and
increases security for their IoT deployments.
The Kite Platform allows a quick and easy integration
of IoT services into customer processes and systems
through application programming interfaces
(API), which contributes to increasing customers’
productivity. In order to further enhance the
customer experience, the platform’s functionalities
are available through a web portal that can be
accessed via most common web browsers. It also
offers different schemes of SIM lifecycle status
models to accommodate the customer
product lifecycle.
When it comes to connectivity cost management,
the Kite Platform offers a wide set of tools to
automatically control costs associated with SIM
traffic, operation, maintenance and inventories.
With regards to security, it offers a set of
controls, including:
• Device whitelisting. Customers can upload a list of
device IMEIs or IMEI patterns to control the devices
that can use the SIM cards.
• SMS MO origin number whitelisting to avoid
customer devices receiving SMS commands
from non-authorized numbers. It also validates
the original SMSC to avoid SMS origin number
spoofing.
• Receiving cellular network signalling information,
so that the platform can notify customers and
take action. It also deactivates SIM cards from
unexpected locations or that have excessive
data usage.
Internet Of Things

A COMPREHENSIVE
SECURITY PORTFOLIO TO DELIVER
E2E SECURITY PROPOSITIONS

IoT Fraud ICS

ADVANCED
SOLUTIONS
CONSULTING SERVICES

Industries

Managed Managed Integrated

CYBERSECURITY Security Detection & Digital Risk
SERVICES Operations Response Exposure Management

Network & Identity

SECURITY Device
Application
Cloud & Data
& Access
PRODUCTS Security
Security
Security
Management
Internet Of Things
This portfolio is arranged into four key groups:
Security products
A set of security products (lower green layer) that
can be deployed within the infrastructure. Operation
of the products is based on repetitive and procedural
tasks that can be performed by traditional SOC
teams.
Cybersecurity services
A set of cybersecurity services (middle light
blue layer) where the key element is the team,
which is composed of highly skilled cybersecurity
specialists. Key to service success, the team bases
its work in tools and services that are also part of
the service blocks of this layer or the previous one.
Consulting services
Consulting services (right side dark blue box) that
can provide support during the pre-sales stage to
understand the specific needs of the customer and
build the right proposal, combining the P&S of the
previous two bullets. These services can also be
extended during the initial stages of the project, as
they can be required in any project where any of
the previous P&S are involved. Consulting services
are key to understanding the specific needs of
the customer and tailoring the solution to best fit
their needs, especially for the most innovative and
disrupting customers in their sectors.
Advanced solutions
The top layer groups solutions are tailored to
specific sectors or industries and share two key
properties. Firstly, they need to be flexible and
modular in order to adapt to the specific needs
of each customer. This is especially relevant in
the case of IoT, as customers may have different
security and privacy requirements depending on
their specific sector. Secondly, they are based on
the P&S of the rest of the layers and may also
include other specific modules or components.
It is worth noting some of the services that are
more relevant in IoT security. Managed Security
Operations relieve customers from the challenges
involved in deploying and operating their own
SOC. Instead, they can rely on our 11 SOCs located
around the world. Device management is one of
the most common services used by customers.
Although most devices are computers and
smartphones – which are the traditional devices in
IT security – “things” management will benefit from
this background.
Internet Of Things

IN the Digital Exposure

group, two services deserve
being highlighted:
Vulnerabilities management
with Vamps:
The Vamps service provides a global view of
organizations’ weaknesses, anticipating potential
attack methods against their systems and allowing
quick management of their correction. As part of
this solution, the Faast service allows persistent
penetration testing of critical infrastructure assets.
This periodically updates new vulnerabilities or
warns of any previously detected ones that remain
unsolved.
Incident anticipation with
CyberThreats:
The CyberThreats service helps by continuously
preventing, detecting and responding to potential
cyber threats that can have a major impact on an
organizations’ business model. CyberThreats covers
all phases of the cyber threat lifecycle, thanks to a
holistic risk management model, focused on cyber
intelligence.

“...CyberThreats
service helps by
continuously
preventing, detecting
and responding
to potential
cyberthreats...”
Internet Of Things

Finally, in the Integrated Risk Management group

we have SandaS GRC; a platform for supporting
consulting services for governance, compliance and
risk assessment. SandaS GRC helps organizations
support their business strategy, improve their
operational performance, reduce operational risks,
and ensure regulatory compliance. The latest version
of SandaS GRC includes the GSMA IoT Security
Assessment checklist, a useful tool for cybersecurity
consultants wishing to assess an IoT infrastructure
security, based on the model and requirements
published by the GSMA. We have actively been
involved in the participation of this document set
and has also successfully applied it to a project
(see the Securing the Port of the Future case study).

“...a platform
for supporting
consulting service
on governance,
compliance and
risk assessment.”
Internet Of Things

Nobody can do it
alone; a robust
partnership
network
is ESSENTIAL
The IoT is a fast moving, rapidly evolving ecosystem
that opens up a wide range of new opportunities.
In just a few years, it has evolved from a machine-
to-machine (M2M) paradigm focused on B2B
and vertical use cases, to a smart environment
with millions of cellular connections, an emerging
B2C application and an increasing range of
standard definitions. The future seems to be even
more complex, with billions of connections and
thousands of applications on B2B, B2C and B2B2C.
This environment of constant change, together
with the extremely long IoT ecosystem value chain
(device manufacturers, communication service
providers, Cloud platform providers, and application
developers, to name a few) makes matching
security requirements an impossible task for a
single company. Therefore, it is crucial to create an
active and dynamic partnership ecosystem that can
attract talent, technology and investment to face
this challenging environment.

“...smart environment
with millions of
cellular connections...”
Internet Of Things

“Attracting talent
and identifying
relevant projects
and initiatives at a
very early stage.”

An initiative of this nature

must consider the following
key elements:
• Attracting talent and identifying relevant projects • Investing in start-ups that have implemented a
and initiatives at a very early stage. This means solid value proposition and may require funds to
establishing good connections with universities be delivered to the market.
and specialist research centres, and promoting
events that help to identify these initiatives.
• Setting and funding the resources that project
leaders may need in order to facilitate the
development of their ideas and initial market
testing.
Internet Of Things

Conclusion
In this report, we have described the key
capabilities and assets that MNO need to consider
for IoT security. They set a foundation from
which to start building compelling E2E value
propositions, and adding advanced security services
and products. Some of these could be developed
in-house, but a significant number will require
partnering with leading companies in each specific
area of security. In both cases, the systemic vision
of Telefónica for IoT adds another point of view at
a larger scale to the ones of specialists in specific
types of devices and solutions.
The significant business growth of – and relevant
investment in – cybersecurity over the past few
years has allowed us to devise a comprehensive
portfolio and build an extensive partnership
network; creating the perfect platform from which
to help its clients take maximum advantage of the
IoT revolution.

iot.telefonica.com

@TelefónicaIoT

Telefónica IoT

telefonica IoT
Internet Of Things

Address Cybersecurity Challenges

Proactively to
Ensure Success
With Outsourced

IoT Initiatives

Summary

FOUNDATIONAL
Refreshed: 5 June 2018 | Published: 17
February 2017 ID: G00319712

Analyst(s): DD Mishra, Earl Perkins, Stephanie

Stoudt-Hansen

Cybersecurity concerns are major barriers to

the success of the Internet of Things. Sourcing
and vendor management leaders must ensure
that cybersecurity policies address the risks of
IoT and, by working closely with procurement
teams, create an approved list of IoT providers.

FOUNDATIONAL DOCUMENT
This research is reviewed periodically for
accuracy. Last reviewed on 5 June 2018.
Internet Of Things
“Increased
IMPACTS
• Existing cybersecurity policies and procedures
will undergo changes to support the adoption
of the Internet of Things (IoT), introducing new
cybersecurity challenges for sourcing and vendor
management leaders.
• Increased competition will drive enterprises
toward rapid adoption of the IoT with shorter
procurement and sourcing cycles, leaving less
time for sourcing and vendor management
leaders to address cybersecurity.
competition will drive
enterprises toward
rapid adoption of the
IoT…”
• Fragmented demand and a proliferation of
suppliers, coupled with faster supply chain
expectations and a myriad of IoT products,
will increase sourcing complexity related
to cybersecurity for sourcing and vendor
management leaders in stitching the demand
and supply together.
Internet Of Things
Recommendations
To address the cybersecurity risks of IoT, sourcing
and vendor management leaders should:
• Collaborate with business and IT stakeholders to
identify and formalize all cybersecurity concerns
and risks.
• Ensure internal policies, processes and quality
assurance mechanisms are aligned with their
service provider’s obligations at the time of
negotiations.
• Create an approved list of IoT products and
service providers, including their capabilities
and track records on cybersecurity as the key
parameters for shortlisting.
• Incorporate a data protection and open-source
agreement into the contracts, which ensures any
data generated is either secured or purged after
use or at the termination of the contract.
Internet Of Things
Strategic
Planning
Assumption
By 2020, 60% of digital businesses will suffer major
service failures due to the inability of IT security
teams to manage digital risk.
Analysis
As the personal world of connected consumer
devices — such as wearables and health
monitoring —collides with the IoT, consumer and
organizational IT will become indistinguishable,
and digital capabilities throughout the enterprise
will simply merge. This has generated significant
interest from an IoT strategy perspective among
businesses. The inquiry volume has stabilized to
10% of the yearly volume of IoT inquiries every
month consistently between May 2016 and
December 2016. During the second half of the year,
the inquiry volume was more than double with
respect to the first half showing increased maturity
“…digital capabilities
throughout the
enterprise will
simply merge.”
and interest.1 Supporting this evidence is the
increased interest in cybersecurity (see Note 1) and
privacy concerns, which remain the biggest barriers
to IoT success (as shown in Figure 1). In a Gartner
survey on the IoT conducted during the fourth
quarter of 2016, security concerns, potential risks
and liabilities, privacy issues, and regulatory issues
were among the top 10 barriers, with security
concerns as the main barrier to the success of IoT.2
This research will focus on addressing the required
sourcing and vendor management leader actions
to address the main barrier depicted in Figure 1:
cybersecurity.
Internet Of Things

Figure 1. Barriers to IoT Success

Ranked First Ranked Second Ranked Third

Security concerns 12 12 10 35

Cost/funding concerns 12 10 10 32

Implementation/integration complexity 10 10 9 29

Privacy concerns (e.g. of customer or 8 9 9 25

enterprise data)

Potential risks or liabilities 8 7 9 25

Difficulty in predicting 7 8 8 23
business benefits

Regulatory issues/concerns 7 7 8 23

Technology is immature 7 7 7 21

Resistance to change within 7 7 7 20

the organization
Insufficient time or resources to 7 6 7 20
develop ideas to benefit from IoT

Lack of necessary staff skills 5 7 7 19

Fragmented executive leadership 5 5 5 15

No real leadership for IoT within

4 5 4 13
the oganization

Other barriers 0

0 10 20 30 40

Notes:
Question we asked: What are the three greatest barriers to the success of your organization’s IoT activities?
Number of respondents = 2,539.
Multiple responses were allowed.

Source: Gartner (February 2017)

The evidence available (from public domain

sources) warns that one of the biggest distributed
denial-of-service attacks ever seen took place in
Europe, where a botnet comprising thousands of
hacked IoT devices took aim at a European web
host, which flooded it with a data deluge that
exceeded one terabit per second.3 Similarly, it has
been revealed that smart TVs are also vulnerable
to hacking, using simple devices.4 The IoT brings
unprecedented security risks and challenges
to enterprises as it makes further inroads into
businesses.
Internet Of Things
Currently, as revealed in Gartner’s “Hype Cycle for
Enterprise Architecture, 2016,” IoT architecture has
entered the Peak of Inflated Expectations. It will
reach the Plateau of Productivity within five to 10
years, while in the meantime, continuing to grow
at a steady pace. Gartner estimates there will be
approximately 20 billion connected IoT devices by
2020; others project much higher numbers.5
Businesses will see rapid adoption, and suppliers
will produce devices at a rapid pace. During this fast
adoption phase, clients should practice restraint
when acquiring IoT products and IoT-based solutions and vendor management leaders when correlating
and services, or when selecting service providers
for IoT products, solutions or services. Businesses
need to ensure that IoT solutions are secure before
committing to acquire them.
Figure 2. Impacts and Top Recommendations for Sourcing and Vendor Management Leaders
Impacts
Exisiting cybersecurity policies and procedures
will undergo changes to support the adoption
of the IoT, introducing new cybersecurity
challenges for sourcing executives.
Increased competition will drive enterprises
toward rapid adoption of IoT with shorter
procurement and sourcing cycles, leaving less
time for sourcing and vendor management
leaders to address cybersecurity.
Fragmented demand and a proliferation of
suppliers, coupled with faster supply chain
expectations and myriad of IoT products,
will increase sourcing complexity related
to cybersecurity for sourcing and vendor
management leaders in stitching the demand
and supply together.
FTC = Federal Trade Commission
Source: Gartner (February 2017)
In addition, since revenue maximization is one of
the top objectives of businesses, risk management
needs to be addressed in a sensible manner so that
it does not become an inhibitor. Businesses must
learn how to mitigate risks faster on their journey
for rapid adoption, enabling the business to quickly
implement IoT processes with an ecosystem of
partners. This is the main objective for sourcing and
vendor management leaders strategizing for IoT
implementation.
Gartner sees the following key impacts for sourcing
the IoT and cybersecurity, as depicted in Figure 2.
“...suppliers will
produce devices at a
rapid pace.”
Top Recommendations
Review architecture and design cybersecurity. Evaluate internal
policies, processes and quality assurance mechanisms. Consider
available frameworks and guidelines (such as FTC rules) before
investigating the IoT provider market.
Create an approved list of IoT products and providers, including
their capabilitiesand track records on risk, cybersecurity, privacy
and compliance, as a key parameter for shortlisting.
Incorporate a data protection agreement to ensure any data
generated is either secured or purged after use or termination of
contract.
Internet Of Things
Impacts and
Recommendations
Existing cybersecurity policies and procedures
will undergo changes to support the adoption
of the IoT, introducing new cybersecurity
challenges for sourcing and vendor management
leaders
The proliferation of IoT solutions and services,
in combination with the rapid adoption of IoT
by consumers and businesses, puts pressure on
the sourcing and procurement teams to accept
solutions and services with limited built-in or
architected cybersecurity and safety features. In
the same sense, service providers are using the
competitive pressure to directly sell to business
buyers, circumventing sourcing and procurement
altogether, introducing numerous potential
vulnerabilities.
This will place businesses in jeopardy when
such IoT products or services are deployed in a
mission-critical role. Hence, sourcing and vendor
management leaders must invest in creating and
maintaining a flexible, yet unambiguous, IoT risk
mitigation strategy that can be applied rapidly
during the initial selection and contracting period,
with a main focus on cybersecurity.
Recommendations
Sourcing executives should:
• Collaborate with business and IT stakeholders
to establish an IoT center of excellence (COE)
and formalize IoT adoption principles covering
— at minimum — cybersecurity, privacy and
compliance. An effective COE can then establish
a framework for adoption, enabling processes
and structures, to provide help in creating a
productive digital business and IoT strategy. The
COE should also provide for terms and conditions
that can be incorporated in agreements during
the implementation of IoT products and services.
• Engage with cybersecurity and compliance
teams to ensure that new policies and procedures
manage risks associated with IoT. Review current
guidance, such as the FTC rules, to ensure risks
are measured, and mitigation activities are
defined and formalized.7
• Always consider external IoT specialists to
develop an enterprise risk management
framework for the evolving IoT ecosystem. Even
if there is an internal COE, it’s better to be safe
than sorry.
Internet Of Things

Increased competition will drive enterprises Recommendations

toward rapid adoption of the IoT with shorter
procurement and sourcing cycles, leaving less Sourcing and vendor management leaders should:
time for sourcing and vendor management
• Collaborate with procurement and business
leaders to address cybersecurity
teams to explore IoT devices, services, products
The fine balance between agility and cybersecurity, and providers to create a preapproved list
risk and compliance needs to be defined. Sourcing generated from lessons learned with existing
and vendor management leaders working closely deployments involving cybersecurity and
with cybersecurity, procurement, finance, IT and compliance. This will make cycle times shorter
business teams can devise ways that can enable and enable rapid adoption.
such rapid implementation — especially since
blocking the pace of adoption with constraints may • Conduct workshops with business leaders
be detrimental for the business. The principle of to understand the IoT roadmap, and trigger
imposing control through command, constraint and business awareness about safety and
compliance must transform to become engaging, cybersecurity requirements as necessary. Create
thus enabling and empowering the business with documentation or a playbook to raise awareness
suitable processes, frameworks and tools. on guidelines for purchasing and contractual
protections.
Unfortunately, it cannot be ruled out that, in some
cases, other departments within the business
will circumvent the IT department completely by
directly procuring the necessary IoT components.
This is a significant concern, corroborated by the
current and similar situation occurring with cloud
adoption, which we have observed over some time.
This can bring additional cybersecurity challenges.
Internet Of Things
• Collaborate with legal, compliance, cybersecurity,
consultants and business stakeholders to
produce a threat model for IoT. Where necessary,
conduct a “readiness review” using an external
consultant to ensure that the organization is
prepared from both a business and technology
perspective.
• Enable rapid prototyping and proof of
concept (POC) mechanisms for adoption and
incorporation of new IoT products and services
by developing IoT-specific sandbox environments
and processes. Secure risk management and
stakeholder involvement, creating environments
that include cybersecurity aspects and support
rapid prototyping as well. Produce checklists of
risk, compliance and cybersecurity to ensure
that they are suitably addressed during rapid IoT
POCs. This will shorten the adoption cycle time of
the IoT.
• Demonstrate the benefits of a strong demand
management framework to the business, while
not restricting business development. Focus the
framework on matching business demand with
analyzed IoT products and technology services,
and service providers. Ensure the matching allows
for rapid POCs. That way, sourcing will be involved
when decisions are made at the business level to
acquire new IoT-related capabilities so they can
help to vet providers and leverage pooled spend.
Figure 3. Governance Challenges
for IoT Implementation
Source: Gartner (February 2017)
Data
Quality
18%
Privacy of
Sensitive Data
20%
Fragmented demand and a proliferation of
suppliers, coupled with faster supply chain
expectations and a myriad of IoT products,
will increase sourcing complexity related
to cybersecurity for sourcing and vendor
management leaders in stitching demand and
supply together
A report published during June 2014 by HP
demonstrates that six out of 10 devices with user
interfaces are vulnerable to a range of cybersecurity
issues. Furthermore, 70% use unencrypted data.8
Something as basic as corrupted data in a power
distribution system can result in substantial risk. A
2012 Computerworld report explained how a heart
pacemaker could be hacked to provide a deadly 830-
volt jolt.9
The IoT will drive convergence of operational
technology with IT, which will make things riskier. A
large number of devices do not follow the standards
and norms traditional IT equipment is built with —
partially because of the market pressure to create
new products fast, and partially because of the
lack of international standards for an increasing
number of devices and solutions built on proprietary
platforms. This introduces new challenges and
vulnerabilities from a cybersecurity and compliance
perspective (see Figure 3).
Retention & Other
Disposal 0%
10%
Data
Security
31%
Data
Standards
21%
Internet Of Things
The IoT ecosystem is complex and massive.
Currently, standardization does not exist, and
maturity is evolving. At present, there is insufficient
regulation protecting consumer interests. There is
hope that technology alliances and go-to-market
partnerships will develop sector experience and
acumen. The ecosystem of IoT is grouped into
different types of providers, such as:
• IT providers and system integrators (such as IBM,
HPE, CSC, Accenture, Capgemini, Atos, Oracle,
Microsoft and SAP)
• Communication providers (like NTT Data, AT&T,
T-Mobile and Verizon Communications)
• Infrastructure gateway providers (like IBM,
Hitachi, Juniper Networks, Cisco Systems, HPE
and Fujitsu)
• Original equipment manufacturers (such as
Johnson & Johnson, GE, General Motors, Ford
Motor, Siemens, Bosch, ABB and Philips)
• Semiconductor manufacturers (like
ARM Holdings, Intel, Qualcomm and
STMicroelectronics)
Recommendations
Sourcing and vendor management leaders should:
• Engage intensely with providers to understand
the portfolio of IoT offerings, market share,
verticals supported, growth of IoT business and
regions served. Thereafter, revisit the sourcing
strategy and seek a deeper alignment through
adaptive sourcing. Organizations that develop
maturity in sourcing will be more capable of
managing risks and compliance from the IoT.
• Collaborate with the legal, IT and compliance
teams to establish an integrated contractual
framework for your business initiatives, to
ensure that that the provider will comply with
your organization’s ecosystem. Ensure IoT and
cloud-related risks are addressed by the business
framework.Focus on organizational training
and awareness before engaging with providers.
Include training and awareness as a part of
provider obligations.
• Focus on organizational training and awareness
before engaging with providers. Include training
and awareness as a part of provider obligations.
• Engage consultants and experts to deal with
cybersecurity and the integrity of data. IoT
initiatives often bring vast data management
challenges, since such a huge amount of data
is generated. Therefore, the organization will
have to analyze what data is useful and how it
should be organized to ensure optimal utilization
of resources, such as storage, computing and
network, as well as discarding unnecessary
information and using encryption where needed.
Internet Of Things

Gartner
Recommended
Reading
Some documents may not be available as part of your “The Four Steps to Manage Risk and Security in
current Gartner subscription. Bimodal IT”
“Prepare for the Internet of Things to Drive Big Change “Toolkit: Risk Scoring Tool for Sourcing Digital
in Sourcing” Services”
“Mitigate Digital Security Risks and Emerging Threats
in IT Outsourcing by Solidifying Scope and Support of
Stakeholders”
Internet Of Things

Evidence
1
Inquiry trend for IoT-related inquiries reveals that
between the first half of 2016 and the second half
of 2016, the number of inquiries increased almost
by 140%. The inquiry volume sharply started rising
during the first half of 2016 and became consistent
in the second half.
2
In “Survey Analysis: 2016 Internet of Things
Backbone Survey,” Figure 6, “Barriers to IoT
Success,” security concerns were ranked at the top
(No. 1), privacy concerns was at No. 4, potential
risks and liabilities were at No. 5, and regulatory
issues/concerns were at No. 7 (n = 2,539) in terms
of barriers to IoT. The question asked was: “What
are the three greatest barriers to the success of
your organization’s IoT activities?”
3
M. Miliard, “Massive DDoS Attack Harnesses
145,000 Hacked IoT Devices,” Healthcare IT News,
29 September 2016.
4
J. O’Callaghan, “Could Your Smart TV be Hacked?
‘Red Button’ Feature Could be Used to Hijack Web
Accounts,” Daily Mail, 9 June 2014.
5
T. Danova, “Morgan Stanley: 75 Billion Devices Will
Be Connected to the Internet of Things by 2020,”
Business Insider India, 3 October 2013.
6
In “Survey Analysis: The Internet of Things
Is a Revolution Waiting to Happen,” Figure 4.
IoT Leadership (n = 456) shows that 77% of
organizations do not have IoT leadership.
7
“FTC Report on Internet of Things Urges
Companies to Adopt Best Practices to Address
Consumer Privacy and Security Risks,” FTC, 27
January 2015.
8
HP’s security research, related to IoT, revealed
some interesting insights into the IoT security.
For further information, see “Internet of Things
Research Study,” HP, September 2014.
9
J. Kirk, “Pacemaker Hack Can Deliver Deadly 830-
Volt Jolt,” Computerworld, 17 October 2012.

Note 1 Cybersecurity
Cybersecurity encompasses a broad range of
practices, tools and concepts related closely to
those of information and operational technology
security. Cybersecurity is distinctive in its inclusion
of the offensive use of information technology to
attack adversaries.
Internet Of Things

Gartner
Headquarters

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
For a complete list of worldwide locations,
visit http://www.gartner.com/technology/about.jsp.

Securely Unleashing the endless possibilities of IOT is

published by Telefonica. Editorial content supplied by
Telefonica is independent of Gartner analysis. All Gartner
research is used with Gartner’s permission, and was originally
published as part of Gartner’s syndicated research service
available to all entitled Gartner clients. © 2018 Gartner, Inc.
and/or its affiliates. All rights reserved. The use of Gartner
research in this publication does not indicate Gartner’s
endorsement of Telefonica’s products and/or strategies.
Reproduction or distribution of this publication in any form
without Gartner’s prior written permission is forbidden. The
information contained herein has been obtained from sources
believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information.
The opinions expressed herein are subject to change without
notice. Although Gartner research may include a discussion
of related legal issues, Gartner does not provide legal advice
or services and its research should not be construed or used
as such. Gartner is a public company, and its shareholders
may include firms and funds that have financial interests
in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or
funds. Gartner research is produced independently by its
research organization without input or influence from these
firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see “Guiding
Principles on Independence and Objectivity” on its website.
Internet Of Things