Professional Documents
Culture Documents
the endless
possibilities of
IOT
Internet Of Things
Internet Of Things
CONTENTS
Executive Summary 3
Why Telefónica 4
Security Becomes ever more Paramount 6
The Telco Approach: A model for securing 11
the IoT Ecosystem
Telefónica’s IoT Security Value Proposition 17
Conclusion 26
Gartner Research 27
Internet Of Things
“…endless
possibilities that
it can bring to
improve our lives.”
Executive
summary
The term Internet of Things (IoT) has become a An outline of the current status of IoT opens this
buzzword in recent years, sharing the limelight report. We will then present our specific approach
with other technologies that are enabling the model and value proposition for IoT security. This
digital transformation across every aspect of our is underpinned by three key pillars, and is delivered
lives. Despite its novelty, IoT has grown faster than with a portfolio of core security capabilities and
any previous communication technology, and cybersecurity services. Given that connectivity
associated challenges and learnings have emerged is present through the entire IoT journey, we
at that same speed. This had led to a rapid general address security issues as a whole, following a
awareness of security as a priority for main comprehensive approach to deliver end-to-end IoT
IoT players. security propositions to our customers.
Internet Of Things
WHY Telefónica?
THREE KEY PILLARS UNDERPIN OUR IOT SECURITY VALUE PROPOSITION:
journey full of
business opportunities requires a smart
combination of a multidisciplinary set of
possibilities
technologies. In fact, according to social media
analyst company ZK Research, we are living in
the middle of a “perfect storm”, similar to the one
that kicked off the internet era, and that is now
The IoT represents a very broad concept that driving the growth of the IoT. It consists of several
includes any network of devices, such as vehicles, factors: digital transformation; low-cost sensors;
home appliances, electric or water meters, and standardization to Internet Protocol; the growth
other items that communicate across the internet of Big Data; the rise of social media; and
without human intervention. These devices Cloud Computing.
share information collected from sensors, or
send commands to actuators that are close to or
embedded on them.
Gartner estimates there will be approximately
20 billion connected IoT devices by 2020; others
project much higher numbers. In the near future,
this vast number of devices will surround us,
collecting data about our different activities and
interacting seamlessly with us.
“Gartner estimates
there will be
approximately 20
billion connected
IoT devices by
2020; others
project much
higher numbers.”
Security becomes
ever more paramount
“…complex
due to lack of
standardisation
across the devices...”
From improving the efficiency of a business to The IoT journey spans across many different areas,
opening up new business opportunities, the and whilst each of these has its own particular
advantages of embracing the IoT are so huge features to be specifically analysed, they all share
that every company or sector will benefit from a key commonality: the need to provide network
its adoption sooner or later. As more and more connectivity to the devices, with IoT platforms
companies base their businesses on the IoT that process sent information and enforce applied
infrastructure, security becomes ever more actions. This constant presence enables Telefónica
paramount. At the same time, the growing presence to look at the big picture and wider approaches to
of IoT will also increase the awareness of security the IoT security issue as a whole, filling the gaps
needs, and will boost the development of tools and between the specialists at every step of
solutions from every aspect of the world of IoT. the journey.
The rapid growth of IoT will also be reflected in the
evolution of security. This has happened many
times before, such as when the expansion of the
automotive industry instigated the transformation
of roads into safer motorways.
Internet Of Things
“Cybersecurity is
now undoubtedly
considered as a key
aspect for any IoT
device or solution…”
Internet Of Things
Internet connected devices Efficient security controls were not in place in 2016
require the same security when the self-propagating Mirai botnet infected
devices using a procedure as simple and common
controls as any PC as default credentials testing. The attack was
or smartphone addressed to Dyn, one of the most important DNS
Some devices, such as IP cameras, are based on hosts at the time. It affected sites such as Twitter,
operating systems that are no different from that Spotify and Github, rendering them unavailable
of a traditional computer or smartphone, and for several hours. Mirai botnet had been specially
therefore have similar security requirements. designed to target IoT devices using two main
components. On the one hand, it had a scanner
In the connected PC era, automatic software and that continually searched for new IoT devices to be
antivirus updates have become essential security compromised. On the other hand, its command and
tools and mechanisms; their introduction marked control center sent instructions to launch attacks
relevant changes in the dominant operating against victims.
systems and the birth of free antivirus software.
Since the IoT device market is still fragmented,
these solutions are tougher to apply, but are even
more necessary.
“affected sites
such as Twitter,
Spotify and Github,
rendering them
unavailable for
several hours...”
Internet Of Things
When connected to the The main learning from these three cases is that
internet, no device security needs for IoT are no different to traditional
security needs. Although the IoT has particular
can be ignored features that will require ad hoc solutions, IoT
A system or infrastructure is only as secure as its service ecosystems share Cloud infrastructures,
weakest link. We cannot ignore devices that seem and a complete E2E package will require adding
irrelevant to the business if they are connected to some traditional solutions in order to provide
the internet. A seemingly innocuous device can be comprehensive security proposals.
the gateway for cyber-attackers.
We have not reduced our daily use of the internet
Take a thermometer, for instance. After hacking or the smartphone for security reasons; rather, we
the internet-connected thermometer of a fish have strengthened our defences and remain vigilant.
tank, cybercriminals were able to access the The immense possibilities of IoT are an even greater
manufacturer’s entire corporate network from the incentive to keep progressing in this way.
device and infiltrate its customer database.
Internet Of Things
The TELCO
approach:
A model for securing
the IoT ecosystem
The endpoint
ecosystem
The endpoints – which are the IoT devices – are usually geographically dispersed and fundamentally send
information from the sensors to the platform that enforces the requested actions. From a security perspective,
the endpoints have some key limiting features that must be considered:
• They have limited processing and battery resources, • These devices also have long life cycles that can
which makes adding security capabilities (such as reach up to 10 years, and require specific security
data encryption) more challenging. mechanisms and procedures to ensure resiliency of
the IoT infrastructure.
• In most cases they must be remotely operated
due to geographical dispersion, which requires However, there is also another feature that represents
secure mechanisms for remote monitoring and an advantage from a security perspective. Unlike
management. multipurpose devices, such as smartphones and
computers that can host a wide range of applications
• Most endpoints are physically accessible to an
with different communication patterns, IoT devices
attacker. This means they require secure designs
tend to focus on very specific applications. This
that protect the devices from
physical manipulation. simplifies the profiling of the device and, hence,
the detection of anomalous activity.
Internet Of Things
“…which forces
developers and
engineers to define
different security
mechanisms…”
The IoT service
ecosystem
On the other side of the model we have platforms,
Google Cloud Platforms, IBM Bluemix, and Microsoft
which can be both in the Cloud or on-premise, and
Azure. Apart from the diversity among them, which
have many additional features and capabilities
forces developers and engineers to define different
to facilitate the interaction with IoT devices and
security mechanisms, there are few security
the development of services. Currently, there is
mechanisms that leverage network capabilities for IoT
a great diversity of Cloud platforms, whose main
infrastructures. Reinforcing these could simplify and
representatives are Amazon Web Services (AWS),
enhance their implementation and configuration.
Internet Of Things
“...network operators
can also assist IoT
service providers
to deploy or derive
their own encryption
credentials...”
Internet Of Things
“...applying filtering
mechanisms to weed
out attack traffic and
deliver only clean
traffic.”
Telefónica’s IoT
security value
proposition
Three key pillars underpin
our IoT security value
proposition:
• Leveraging the network and platforms built over
network capabilities
• Managing a comprehensive security portfolio to
deliver E2E propositions
• Building a strong partnership ecosystem to deliver
compelling propositions
“…comprehensive
security portfolio
to deliver E2E
propositions.”
Internet Of Things
“…managed
connectivity
platform that
improves customers’
productivity and
connectivity cost
management...”
A COMPREHENSIVE
SECURITY PORTFOLIO TO DELIVER
E2E SECURITY PROPOSITIONS
Industries
This portfolio is arranged into four key groups: extended during the initial stages of the project, as
they can be required in any project where any of
Security products the previous P&S are involved. Consulting services
A set of security products (lower green layer) that are key to understanding the specific needs of
can be deployed within the infrastructure. Operation the customer and tailoring the solution to best fit
of the products is based on repetitive and procedural their needs, especially for the most innovative and
tasks that can be performed by traditional SOC disrupting customers in their sectors.
teams. Advanced solutions
Cybersecurity services The top layer groups solutions are tailored to
A set of cybersecurity services (middle light specific sectors or industries and share two key
blue layer) where the key element is the team, properties. Firstly, they need to be flexible and
which is composed of highly skilled cybersecurity modular in order to adapt to the specific needs
specialists. Key to service success, the team bases of each customer. This is especially relevant in
its work in tools and services that are also part of the case of IoT, as customers may have different
the service blocks of this layer or the previous one. security and privacy requirements depending on
their specific sector. Secondly, they are based on
Consulting services the P&S of the rest of the layers and may also
include other specific modules or components.
Consulting services (right side dark blue box) that
can provide support during the pre-sales stage to It is worth noting some of the services that are
understand the specific needs of the customer and more relevant in IoT security. Managed Security
build the right proposal, combining the P&S of the Operations relieve customers from the challenges
previous two bullets. These services can also be involved in deploying and operating their own
SOC. Instead, they can rely on our 11 SOCs located
around the world. Device management is one of
the most common services used by customers.
Although most devices are computers and
smartphones – which are the traditional devices in
IT security – “things” management will benefit from
this background.
Internet Of Things
“...CyberThreats
service helps by
continuously
preventing, detecting
and responding
to potential
cyberthreats...”
Internet Of Things
“...a platform
for supporting
consulting service
on governance,
compliance and
risk assessment.”
Internet Of Things
Nobody can do it
alone; a robust
partnership
network
is ESSENTIAL
The IoT is a fast moving, rapidly evolving ecosystem
that opens up a wide range of new opportunities.
In just a few years, it has evolved from a machine-
to-machine (M2M) paradigm focused on B2B
and vertical use cases, to a smart environment
with millions of cellular connections, an emerging
B2C application and an increasing range of
standard definitions. The future seems to be even
more complex, with billions of connections and
thousands of applications on B2B, B2C and B2B2C.
This environment of constant change, together
with the extremely long IoT ecosystem value chain
(device manufacturers, communication service
providers, Cloud platform providers, and application
developers, to name a few) makes matching
security requirements an impossible task for a
single company. Therefore, it is crucial to create an
active and dynamic partnership ecosystem that can
attract talent, technology and investment to face
this challenging environment.
“...smart environment
with millions of
cellular connections...”
Internet Of Things
“Attracting talent
and identifying
relevant projects
and initiatives at a
very early stage.”
Conclusion
In this report, we have described the key
capabilities and assets that MNO need to consider
for IoT security. They set a foundation from
which to start building compelling E2E value
propositions, and adding advanced security services
and products. Some of these could be developed
in-house, but a significant number will require
partnering with leading companies in each specific
area of security. In both cases, the systemic vision
of Telefónica for IoT adds another point of view at
a larger scale to the ones of specialists in specific
types of devices and solutions.
The significant business growth of – and relevant
investment in – cybersecurity over the past few
years has allowed us to devise a comprehensive
portfolio and build an extensive partnership
network; creating the perfect platform from which
to help its clients take maximum advantage of the
IoT revolution.
iot.telefonica.com
@TelefónicaIoT
Telefónica IoT
telefonica IoT
Internet Of Things
Proactively to
Ensure Success
With Outsourced
IoT Initiatives
Summary
FOUNDATIONAL
Refreshed: 5 June 2018 | Published: 17
February 2017 ID: G00319712
FOUNDATIONAL DOCUMENT
This research is reviewed periodically for
accuracy. Last reviewed on 5 June 2018.
Internet Of Things
“Increased
competition will drive
enterprises toward
rapid adoption of the
IoT…”
IMPACTS
• Existing cybersecurity policies and procedures • Fragmented demand and a proliferation of
will undergo changes to support the adoption suppliers, coupled with faster supply chain
of the Internet of Things (IoT), introducing new expectations and a myriad of IoT products,
cybersecurity challenges for sourcing and vendor will increase sourcing complexity related
management leaders. to cybersecurity for sourcing and vendor
management leaders in stitching the demand
• Increased competition will drive enterprises and supply together.
toward rapid adoption of the IoT with shorter
procurement and sourcing cycles, leaving less
time for sourcing and vendor management
leaders to address cybersecurity.
Internet Of Things
Recommendations
To address the cybersecurity risks of IoT, sourcing • Create an approved list of IoT products and
and vendor management leaders should: service providers, including their capabilities
and track records on cybersecurity as the key
• Collaborate with business and IT stakeholders to parameters for shortlisting.
identify and formalize all cybersecurity concerns
and risks. • Incorporate a data protection and open-source
agreement into the contracts, which ensures any
• Ensure internal policies, processes and quality data generated is either secured or purged after
assurance mechanisms are aligned with their use or at the termination of the contract.
service provider’s obligations at the time of
negotiations.
Internet Of Things
Strategic
Planning
Assumption
By 2020, 60% of digital businesses will suffer major
service failures due to the inability of IT security
teams to manage digital risk.
“…digital capabilities
throughout the
enterprise will
simply merge.”
Analysis
As the personal world of connected consumer and interest.1 Supporting this evidence is the
devices — such as wearables and health increased interest in cybersecurity (see Note 1) and
monitoring —collides with the IoT, consumer and privacy concerns, which remain the biggest barriers
organizational IT will become indistinguishable, to IoT success (as shown in Figure 1). In a Gartner
and digital capabilities throughout the enterprise survey on the IoT conducted during the fourth
will simply merge. This has generated significant quarter of 2016, security concerns, potential risks
interest from an IoT strategy perspective among and liabilities, privacy issues, and regulatory issues
businesses. The inquiry volume has stabilized to were among the top 10 barriers, with security
10% of the yearly volume of IoT inquiries every concerns as the main barrier to the success of IoT.2
month consistently between May 2016 and This research will focus on addressing the required
December 2016. During the second half of the year, sourcing and vendor management leader actions
the inquiry volume was more than double with to address the main barrier depicted in Figure 1:
respect to the first half showing increased maturity cybersecurity.
Internet Of Things
Security concerns 12 12 10 35
Cost/funding concerns 12 10 10 32
Implementation/integration complexity 10 10 9 29
Difficulty in predicting 7 8 8 23
business benefits
Regulatory issues/concerns 7 7 8 23
Technology is immature 7 7 7 21
Other barriers 0
0 10 20 30 40
Notes:
Question we asked: What are the three greatest barriers to the success of your organization’s IoT activities?
Number of respondents = 2,539.
Multiple responses were allowed.
Currently, as revealed in Gartner’s “Hype Cycle for In addition, since revenue maximization is one of
Enterprise Architecture, 2016,” IoT architecture has the top objectives of businesses, risk management
entered the Peak of Inflated Expectations. It will needs to be addressed in a sensible manner so that
reach the Plateau of Productivity within five to 10 it does not become an inhibitor. Businesses must
years, while in the meantime, continuing to grow learn how to mitigate risks faster on their journey
at a steady pace. Gartner estimates there will be for rapid adoption, enabling the business to quickly
approximately 20 billion connected IoT devices by implement IoT processes with an ecosystem of
2020; others project much higher numbers.5 partners. This is the main objective for sourcing and
vendor management leaders strategizing for IoT
Businesses will see rapid adoption, and suppliers implementation.
will produce devices at a rapid pace. During this fast
adoption phase, clients should practice restraint Gartner sees the following key impacts for sourcing
when acquiring IoT products and IoT-based solutions and vendor management leaders when correlating
and services, or when selecting service providers the IoT and cybersecurity, as depicted in Figure 2.
for IoT products, solutions or services. Businesses
need to ensure that IoT solutions are secure before
committing to acquire them.
“...suppliers will
produce devices at a
rapid pace.”
Figure 2. Impacts and Top Recommendations for Sourcing and Vendor Management Leaders
Exisiting cybersecurity policies and procedures Review architecture and design cybersecurity. Evaluate internal
will undergo changes to support the adoption policies, processes and quality assurance mechanisms. Consider
of the IoT, introducing new cybersecurity available frameworks and guidelines (such as FTC rules) before
challenges for sourcing executives. investigating the IoT provider market.
Recommendations
Sourcing executives should:
• Collaborate with business and IT stakeholders
to establish an IoT center of excellence (COE)
Existing cybersecurity policies and procedures and formalize IoT adoption principles covering
will undergo changes to support the adoption — at minimum — cybersecurity, privacy and
of the IoT, introducing new cybersecurity compliance. An effective COE can then establish
challenges for sourcing and vendor management a framework for adoption, enabling processes
leaders and structures, to provide help in creating a
productive digital business and IoT strategy. The
The proliferation of IoT solutions and services, COE should also provide for terms and conditions
in combination with the rapid adoption of IoT that can be incorporated in agreements during
by consumers and businesses, puts pressure on the implementation of IoT products and services.
the sourcing and procurement teams to accept
solutions and services with limited built-in or • Engage with cybersecurity and compliance
architected cybersecurity and safety features. In teams to ensure that new policies and procedures
the same sense, service providers are using the manage risks associated with IoT. Review current
competitive pressure to directly sell to business guidance, such as the FTC rules, to ensure risks
buyers, circumventing sourcing and procurement are measured, and mitigation activities are
altogether, introducing numerous potential defined and formalized.7
vulnerabilities.
• Always consider external IoT specialists to
This will place businesses in jeopardy when develop an enterprise risk management
such IoT products or services are deployed in a framework for the evolving IoT ecosystem. Even
mission-critical role. Hence, sourcing and vendor if there is an internal COE, it’s better to be safe
management leaders must invest in creating and than sorry.
maintaining a flexible, yet unambiguous, IoT risk
mitigation strategy that can be applied rapidly
during the initial selection and contracting period,
with a main focus on cybersecurity.
Internet Of Things
Privacy of
Sensitive Data Data
20% Standards
21%
Internet Of Things
The IoT ecosystem is complex and massive. regions served. Thereafter, revisit the sourcing
Currently, standardization does not exist, and strategy and seek a deeper alignment through
maturity is evolving. At present, there is insufficient adaptive sourcing. Organizations that develop
regulation protecting consumer interests. There is maturity in sourcing will be more capable of
hope that technology alliances and go-to-market managing risks and compliance from the IoT.
partnerships will develop sector experience and
acumen. The ecosystem of IoT is grouped into • Collaborate with the legal, IT and compliance
different types of providers, such as: teams to establish an integrated contractual
• IT providers and system integrators (such as IBM, framework for your business initiatives, to
HPE, CSC, Accenture, Capgemini, Atos, Oracle, ensure that that the provider will comply with
Microsoft and SAP) your organization’s ecosystem. Ensure IoT and
cloud-related risks are addressed by the business
• Communication providers (like NTT Data, AT&T, framework.Focus on organizational training
T-Mobile and Verizon Communications) and awareness before engaging with providers.
Include training and awareness as a part of
• Infrastructure gateway providers (like IBM, provider obligations.
Hitachi, Juniper Networks, Cisco Systems, HPE
and Fujitsu)
• Focus on organizational training and awareness
• Original equipment manufacturers (such as before engaging with providers. Include training
Johnson & Johnson, GE, General Motors, Ford and awareness as a part of provider obligations.
Motor, Siemens, Bosch, ABB and Philips)
• Semiconductor manufacturers (like • Engage consultants and experts to deal with
ARM Holdings, Intel, Qualcomm and cybersecurity and the integrity of data. IoT
STMicroelectronics) initiatives often bring vast data management
challenges, since such a huge amount of data
Recommendations is generated. Therefore, the organization will
have to analyze what data is useful and how it
Sourcing and vendor management leaders should: should be organized to ensure optimal utilization
• Engage intensely with providers to understand of resources, such as storage, computing and
the portfolio of IoT offerings, market share, network, as well as discarding unnecessary
verticals supported, growth of IoT business and information and using encryption where needed.
Internet Of Things
Gartner
Recommended
Reading
Some documents may not be available as part of your “The Four Steps to Manage Risk and Security in
current Gartner subscription. Bimodal IT”
“Prepare for the Internet of Things to Drive Big Change “Toolkit: Risk Scoring Tool for Sourcing Digital
in Sourcing” Services”
“Mitigate Digital Security Risks and Emerging Threats
in IT Outsourcing by Solidifying Scope and Support of
Stakeholders”
Internet Of Things
Evidence
1
Inquiry trend for IoT-related inquiries reveals that
between the first half of 2016 and the second half
of 2016, the number of inquiries increased almost
by 140%. The inquiry volume sharply started rising
during the first half of 2016 and became consistent
in the second half.
2
In “Survey Analysis: 2016 Internet of Things
Backbone Survey,” Figure 6, “Barriers to IoT
Success,” security concerns were ranked at the top
(No. 1), privacy concerns was at No. 4, potential
risks and liabilities were at No. 5, and regulatory
issues/concerns were at No. 7 (n = 2,539) in terms
of barriers to IoT. The question asked was: “What
are the three greatest barriers to the success of
your organization’s IoT activities?”
3
M. Miliard, “Massive DDoS Attack Harnesses
145,000 Hacked IoT Devices,” Healthcare IT News,
29 September 2016.
4
J. O’Callaghan, “Could Your Smart TV be Hacked?
‘Red Button’ Feature Could be Used to Hijack Web
Accounts,” Daily Mail, 9 June 2014.
5
T. Danova, “Morgan Stanley: 75 Billion Devices Will
Be Connected to the Internet of Things by 2020,”
Business Insider India, 3 October 2013.
6
In “Survey Analysis: The Internet of Things
Is a Revolution Waiting to Happen,” Figure 4.
IoT Leadership (n = 456) shows that 77% of
organizations do not have IoT leadership.
7
“FTC Report on Internet of Things Urges
Companies to Adopt Best Practices to Address
Consumer Privacy and Security Risks,” FTC, 27
January 2015.
8
HP’s security research, related to IoT, revealed
some interesting insights into the IoT security.
For further information, see “Internet of Things
Research Study,” HP, September 2014.
9
J. Kirk, “Pacemaker Hack Can Deliver Deadly 830-
Volt Jolt,” Computerworld, 17 October 2012.
Note 1 Cybersecurity
Cybersecurity encompasses a broad range of
practices, tools and concepts related closely to
those of information and operational technology
security. Cybersecurity is distinctive in its inclusion
of the offensive use of information technology to
attack adversaries.
Internet Of Things
Gartner
Headquarters
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
For a complete list of worldwide locations,
visit http://www.gartner.com/technology/about.jsp.