What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
The Invisible Shield: IoT Security Challenges and Solutions
Interested in being a guest? Email us at admin@evankirstel.com
The connected world of IoT devices brings incredible benefits—from smart manufacturing to intelligent agriculture—but also creates unprecedented security challenges. When billions of devices collect and transmit sensitive data in real-time, how do we ensure they're properly protected?
Rodrigo Ferreira, Senior Vice President of Sales at Thales Mobile Connectivity Solutions, reveals the uncomfortable truth about IoT security: most devices lack built-in protection from the start. "Security isn't by design," he explains, leaving critical vulnerabilities that attackers can easily exploit. Among the biggest concerns is weak authentication—devices using simple login credentials that can be compromised, potentially allowing attackers to impersonate legitimate devices or even take over entire systems. When those systems control power grids or medical equipment, the consequences could be devastating.
Secure device identity becomes the foundation for trust in our connected ecosystem. But authentication is just the beginning—data encryption throughout the collection, transmission, and storage journey is equally crucial. As Ferreira states, "It's not a matter of if you get hacked, it's a matter of when." Without proper encryption, compromised data can be easily exploited. The industry faces additional challenges with firmware updates (many devices simply can't be updated) and fragmented regulations across regions, making global IoT deployments particularly complex.
Despite these challenges, innovation continues with promising developments like the GSM-SGP32 specification, which simplifies secure connectivity across multiple carriers without complex integrations. Ultimately, IoT security requires collaboration across the entire ecosystem—no single player can solve it alone. As we build our connected future, the responsibility falls on all participants to prioritize security at every layer, from device to network to cloud. Learn more about Thales' approach to IoT security at upcoming industry events including Mobile World Congress Americas.
More at https://linktr.ee/EvanKirstel
Hey everybody, Really exciting topic, One of the most pressing challenges in tech today around IoT security. We're going to unpack what that means for enterprises across the board, where the risks lie and what the future holds for securing billions of connected devices. Rodrigo with Talas, how are you?
Speaker 2:Very good, evan. Thanks for having me here today, very excited.
Speaker 1:Thanks for being here, really excited to dive into all things IoT security. Before that, maybe, introduce yourself and your division within Talas for those who may not be familiar.
Speaker 2:Sure, so I'm Rodrigo Ferreira, senior Vice President of Sales at Mobile Connectivity Solutions, what we call MCS, at Thales. I've been with the group for over 20 years, working in four different countries in different roles, from software development to project delivery and sales and sales leadership. So today I lead the North America business for MCS, working very closely with connectivity providers and device makers, trying to help shape the future of what we call a connected, secure IoT. I don't know, evan, how much you know about Atalis. Just giving a quick intro on Atalis Atalis is a global technology provider with over 80,000 employees across five continents. Yeah, it's pretty impressive. We serve in markets like defense, aerospace and cybersecurity and digital identities. We invest heavily in digital and deep technology innovations like AI, cybersecurity, connectivity and quantum technologies. So, just to put it simple, the mentality is we are about making the world safer and smarter or, like we like to say, building a future we can all trust.
Speaker 1:Love it. Great taglines and you've seen the rise of IoT firsthand, now connecting hundreds of millions, if not billions, of devices in the near future, collecting enormous amounts of data in real time. What are some of the biggest security challenges that you've seen arise firsthand?
Speaker 2:You know, evan, just to start on the IoT, right. I mean, when we talk about IoT, I think most people agree all the benefits that it brings to our lives, right? Whether it's in automation manufacturing or if it is a real-time data collection in agriculture or just making our homes smarter. So it's pretty exciting when we see what IoT can do for us, right? However, what we see is that many of those devices, they have limited capabilities. Security isn't built from the start, right, I mean it's not by design, like we say. From the start. Right, I mean it's not by design, like we say. And that opens, like a potential opportunities for attackers to find weak spots or gain unauthorized access, right. So there are a few areas that we believe that the industry needs to work on to make sure that the entire ecosystem is secure and can be trusted Definitely and, as we know, identity is secure and can be trusted.
Speaker 2:Definitely.
Speaker 1:And, as we know, identity is the flip side of security, and weak authentication has been sort of endemic to IoT for some time. Right, how do we make sure that only secure devices are connected to our networks, especially with so many sensitive infrastructure domains out there healthcare and energy and aviation and beyond? How can we get better at things like?
Speaker 2:Yeah, that's a pretty important point, evan, right? I mean, as I mentioned, some of those IoT devices, they have limited capabilities. You will be surprised when we talk with some of our players, right. I mean they are using just a login and password to authenticate their device to the network, or the identity of that device is not secure, is stored in a secure enclave in the device, right. And having those weak authentication protocols, it makes it easier for attackers to impersonate the device and gain unauthorized access or, even worse, do like a full system takeover.
Speaker 2:So think about the power grid or think about oxygen meter at the hospital.
Speaker 2:I mean, those are use cases that can have real life consequences, right?
Speaker 2:So it is really important that, when we talk about the authentication protocols, that you use the strong cryptographic base identity verification right, and making sure that that's properly secure in the device, that you can make sure that that device it is who it says it is before you even get access to the network, right. And when we talk about all the data that those devices are constantly collecting, and quite often in real time, that data can also be extremely sensitive, right. I mean, think about your location or health metrics or even, like a business criteria, insights that help you to make decisions right. So it is extremely important that, on top of the strong identity verification, we also have strong encryption protocols. Right, I mean? It is making sure that your the entire data journey is secure, from the data collection to transmission and storage. At Thales, we usually say it's not a matter of if you get hacked, it's a matter of when. And if that happens, you need to make sure that that data cannot be tampered with, that data can't be accessed, that data is properly encrypted.
Speaker 1:Got it. Another weak link in the IoT security chain is the update mechanisms that are out there. Certainly, many of these devices don't have update mechanisms, which is pretty scary. Others have pretty manual update mechanisms, pretty manual update mechanisms. So what can manufacturers or businesses customers, you know do to ensure their devices stay secure and updated? Firmware gets updated over time, much like our Apple, you know handsets do Right.
Speaker 2:Yeah, that's another pretty important aspect in IoT security, right. I mean, as you mentioned, many of those devices. They don't have those capabilities right and that's a pretty big risk. If a vulnerability is found, that device stays exposed for exploitation or malware infection. And I said at the beginning, security should be from the start in by design. It's not a matter of just launching a product. It's a matter of making sure that it's secure for the long haul. So I think the important points here for tech providers and enterprise is to deploy over-the-air update mechanisms in a secure way, but also think about the lifecycle management from day one. I mean it should be from the beginning and think about the entire device lifecycle how you're going to manage that.
Speaker 1:Yeah, interesting topic. Another topic that you hear a lot about are new regulations, rules, laws to secure devices, and there's just a constant stream of updates in the US, europe, every country having its own ideas about this. Is there any way to unify all of this across borders and countries and regions? Where are we with the standardization and rules side of IT security?
Speaker 2:Yeah, that's a good point, right, I mean security. It's a pretty broad topic and, let's be honest, it can be very confusing. Right, and as you mentioned, there's like a regulations. There is different standards across the board. If we were to have unified approach, for sure that can help in scalability. Right, it makes it much easier for us to deploy that across regions or across different sectors, and some may argue that if you have a very strict standard or if it's not well-designed, that will prevent innovation. Right, and that's where I believe that industry bodies or standard organizations that can come in, even in governments, to try to strike the right balance here. Right, I mean, one great example that I can mention is the NIST 2022 framework for consumer software and consumer IoT products, because it gives the right direction and clear direction on what should be implemented without preventing that innovation. Right, giving the flexibility for tech providers and enterprise to choose the best solution that fits their needs and to scale Got it.
Speaker 1:And in the midst of all this, the industry continues to innovate new services like eSIM. I'm a big fan. I have three or four eSIMs. Also new standards from people like 3GPP and GSMA. Maybe break down some of those new standards and also new technologies that you're really intrigued by.
Speaker 2:Yeah, so recently we are seeing lots of buzz around what we call the GSM-SGP32. So that's a new specification designed for IoT. We did have those specifications for IoT in the past, but those require pretty complex integrations across the carriers that you want to support, right? So the challenge that we had in the past is that an IoT device would either stay locked in a single carrier or the carriers that they need support had to be integrated across their backend, which made the management of connectivity pretty complex. Right Now, think about your phone or your watch. When you have that eSIM capabilities there, no need to be like a strong backend integration across the different cares. You can basically enable that device in any of those networks and that's what the SGP32 is bringing to the IoT is that flexibility for you to connect, like different cares, including private networks, without having to do those complex backend integrations.
Speaker 2:So what we've learned in our work with IoT at Thales is some industries let's say utilities they require connectivity resiliency, right. So for those players to think from the beginning which carriers they're going to use or how they're going to use those carriers, or when to switch one to the other, is with the previous specifications they were pretty complex With the SGP32, that makes it easier. So the entire supply chain from device manufacturing, deployment and maintenance is much easier. So the entire supply chain from device manufacturing, deployment and maintenance is much easier. So it's a pretty exciting development on the IoT connectivity and we are seeing lots of traction these days in the market.
Speaker 1:Fantastic, and what are some of the threats that you have your eye on or the team at Dallas has its eye on this year and over the next years? There's a lot on the horizon. You hear about quantum and other threats to encryption, but what's top of mind for you and the team?
Speaker 2:You know there's different topics, right? I mean, I believe that, as the IoT tech keeps evolving and reshaping industries, there is no single player that, in my view, can tackle everything by itself. The threats are evolving, as you mentioned, like quantum. It is one, right, I mean, if you're doing like a data collection today to access those later on. So there's lots of concerns around the security, and that's where collaboration is very important across the different organizations, enterprise tech providers, to really tackle those risks.
Speaker 2:One great example that I can mention is recently, the IoT Machine to Machine Council and Global Certification Forum. They form the task force to explore a global certification for IoT, and here they're not looking only at the device, right, I mean. I think, as I mentioned earlier, security is pretty broad and can be quite complex, and it doesn't help if you have a very secure device but your network or your cloud platform is not secure, right? So, basically, here this task force is trying to look at those different components from the network, from the cloud platforms and the device, and in my view, it's that holistic approach that we need, right? So there's much more that needs to be done. For sure, I always say that we that are part of this connected future. It's up to us to build a future that we that are part of this connected future, it's up to us to build a future that we can really trust. So it is really important that we keep working towards that. You know, to beat what the threats will evolve right the way that they evolve.
Speaker 1:Yeah, sounds like the shared responsibility and accountability is required by all the parties. And what role does TALIS MCS play in the mix? How do you see your role and how do you help?
Speaker 2:Yeah, so we? You know, as I mentioned earlier, thales is pretty broad, but specifically on MCS, we are working with the connectivity providers, device makers, by helping on two fronts. One is on the connectivity how we make that connectivity scalable and easier and less complex, right. I mean by all I say think about a lamp, how you can get the lamp and connect that in an easy, complex right. I mean by all I say think about a lamp, how you can get the lamp and connect that in an easy way. Right, we are focusing on wireless right.
Speaker 2:So the way that we're working with activities are wireless and, as you have those components like eSIM or you have a secure element that you are putting there, you can actually use that component to increase the security right. Use that as a security play for your device identity or to have your keys for you to access your cloud platforms. So that's the work that we have been doing at Talos MCS working closely with those device makers to help them to perform the security by design right. I mean, as they are talking on the connectivity, how can we tackle those two fronts connectivity and security from the beginning in a way that we can really shape the future of connected IoT?
Speaker 1:Wow, wonderful mission and just a fun question. If you had a magic wand and could wave it and sort of just change one thing about the IoT ecosystem today to make it safer, what would you change? What would you wish into existence?
Speaker 2:adoption of SGP32, it's pretty important, right. I mean, we saw in the past people trying to connect those devices in not a secure way, and that's a pretty big risk, right. So having a way for you to do remote provisioning and doing connectivity management in a secure way or allowing the device to switch automatically, that's for me, it's pretty important. But beyond that, you know, there are other principles that people need to take into account, which is like strong encryption protocols that we mentioned at the beginning, of course, embracing zero trust principles, right, to make sure that you don't trust anything. So security should be in every layer of your IoT ecosystem, and we are seeing lots of AI security-driven models. I mean that's important. We always question who's going to win on the AI war? Right, that is the protection or the attack. The threats will keep evolving, right, and that's why organizations need to stay proactive. It's important that they adapt quickly and, as I said, build trust in every single layer of their IoT ecosystem.
Speaker 1:Well, really optimistic note there and food for thought as we head into Black Hat and DEF CON and other events this year. What are you excited about over the next few weeks and months? Where are you traveling? Where can people meet you and learn more?
Speaker 2:Yeah, so there's a mobile World Congress that is coming up in the coming days.
Speaker 2:Americas, right. Of course, there is the Mobile Congress in Barcelona that we are meeting. We have a bunch of IoT events in different sectors, right? What we realize is that, to make sure that the industry is educated on those points, we're actually now actively participating on specific events, either for healthcare. Now actively participating on specific events, either for healthcare or for utilities, you know, like a distribute tag, because that's a way that we can meet those players and get to learn their challenges and explain to them how we can support them, right? I mean, when people hear about the eSIM, they think that's what is that and how I can prevent their use of the plastic SIMs. And that's where we are to help them. That means, from the design, helping them to integrate that seamless to their device, provide some components that they can help them to use that piece not only as a connectivity management but also identity. So we're excited myself and my team, we are participating in different events in the coming months and weeks to really tackle that challenge that we as an industry we face for the future.
Speaker 1:Fantastic. Well, thanks very much, really important work, and wishing you and all of us luck in that regard. Thanks for joining and I look forward to meeting you at Mobile World Congress or one of the many events out there.
Speaker 2:Sounds good, ivan, thank you for having me here to explain the exciting work that we're doing at Thales with IoT.
Speaker 1:Thank you and thanks everyone for listening, watching, sharing this episode, of course, and check out our new TV show, techimpact TV, now on Bloomberg and Fox Business. Thanks everyone, take care.