IoT Security: Overcoming Deployment Barriers

Security remains the top priority in the development and deployment of the Internet of Things. Gartner reports that, by 2020, IoT security will account for 20% of all security budgets.

Nick Sacke, head of Product and IoT at Comms365, warns that analysts, vendors and stakeholders are increasingly concerned about the significant security risks associated with IoT rollouts. These worries shape decision‑making and erode end‑user confidence, especially when using existing networks—such as Wi‑Fi, which have a history of vulnerabilities—or newer unlicensed‑spectrum systems like LoRaWAN and Sigfox.

The lack of industry‑wide standardisation is another obstacle. Older and newer networks alike need cohesive security policies to move forward.

Lack of information

One major factor undermining confidence is the scarcity of information about the security measures already in place for the networks that underpin IoT, both licensed and unlicensed. Low‑Power Wide‑Area Network (LPWAN) platforms such as LoRaWAN and Sigfox operate in the unlicensed spectrum and have been criticised for lacking the traditional security mechanisms of cellular networks. Carriers often argue that a cellular‑based IoT network is “more secure” because traffic remains within the carrier’s control.

It is essential to distinguish the type of sensor traffic and the security that can be applied at each point in the network. All LoRaWAN traffic is non‑IP, employs 128‑bit AES encryption, and is decrypted by an application server hosted in a private cloud environment. This is a stark contrast to Wi‑Fi‑based sensor networks that may connect to public internet gateways and therefore require stringent on‑site security measures. Ideally, public networks, their providers and device manufacturers should scrutinise every design element to maximise protection and reassure users.

While security concerns are real, not all IoT networks are equally vulnerable. Recent LoRaWAN deployments incorporate built‑in security from the outset, which is crucial for safeguarding data.

Who ultimately bears responsibility for IoT security? The answer is all parties: network operators, device manufacturers and end‑users. A coordinated, end‑to‑end approach is required to secure IoT from development through deployment and daily operation. Depending on the chosen network access technology, inherent security features—such as those found in cellular LPWAN—may already exist, but similar arrangements can be established for unlicensed‑spectrum networks by creating private, layered security architectures.

How one city did it

The Milton Keynes smart‑city project deployed a LoRaWAN network at the end of last year, covering city centre areas for diverse use cases—including energy, parking and environmental monitoring.

Data from thousands of LoRa‑based sensors is collected securely over the LPWAN and deposited into a purpose‑built IoT data hub, where it can be analysed by multiple stakeholders in a monitored, legally compliant environment.

Given the scale of the deployment and the population served, security is paramount. Consumers must trust that the security framework is robust not only in software but also in the physical environment. Initiatives such as blockchain are already being explored to deepen security, even for public‑network traffic. Perhaps the most critical element is protecting the sites where devices are physically deployed to prevent local tampering.

If a local attacker can compromise a device, the integrity of the entire data path is compromised. Tamper‑proofing is therefore essential for monitoring IoT sensor health—from simple accelerometer checks to temperature variations—so analytics can detect and mitigate interference.

Enterprise uncertainty about security can delay deployment, but it does not have to. By applying security at each stage—device, edge, WAN and cloud—a higher likelihood of mitigating potential breaches is achieved.

Manufacturers already integrate many security features directly into devices, and the semiconductor industry is actively addressing hardware security. However, the absence of standardised hardware security guidelines remains a barrier. Fragmentation persists as manufacturers pursue proprietary solutions, but cross‑industry coordination can overcome this challenge.

When the right partners and systems are chosen, deployment and security can be seamless. Continued advances in IoT security will give customers the confidence to deploy at scale and with intensity.

The author of this blog is Nick Sacke, head of Product and IoT at Comms365.