u-blox’s Andreas Thiel on securing the internet of things
The proliferation of connectivity and data represent myriad opportunities, but no shortage of challenges, not least security
The number of devices connected to the Internet, including the machines, sensors, and cameras that make up the Internet of Things (IoT), is set to explode over the coming years, as is the amount of data produced.
A forecast made earlier this year by the International Data Corporation estimates that there will be 41.6 billion connected IoT devices, or “things”, generating 79.4 zettabytes of data in 2025. This abundance of data and connectivity represents myriad opportunities, but also a number of real challenges, perhaps most pertinently that of security.
u-blox is a company that has placed the challenge of making IoT and other data assets secure at the forefront of its ambitions. As co-founder of the business, Andreas Thiel has been with u-blox since it was established in 1997, playing a key role in its development from a small positioning company through to its IPO on the Swiss stock exchange in 2007.
It then embarked on an aggressive expansion, acquiring more than a dozen companies in quick succession. Thiel, who today holds the position of Head of Product Centres, says the raft of acquisitions allowed u-blox to “really broaden the focus of the business”.
“We started out really focused on positioning technology, and it remained that way for around 10 years. We made a number of acquisitions that allowed us to broaden our business focus into cellular products, all the way from 2G to 5G today, and we later added wifi and Bluetooth activities,” he tells Digital Bulletin.
“By adding connectivity products and technologies, what we did in effect was enter into the Internet of Things. When we started in this area it was known as end-to-end or machine-to-machine, so really just machines that were connected to the Internet.
“That’s how we used to know it, we referred to it as ‘internet-to-machine’ — it’s now known as IoT or cloud technology, but it’s actually the same thing”
“That’s how we used to know it, we referred to it as ‘internet-to-machine’ — it’s now known as IoT or cloud technology, but it’s actually the same thing.”
The nature of the company’s product portfolio means security has to be at the heart of everything u-blox does. It is not, says Thiel, an isolated subject or team within the organisation, but rather the foundation on which its reputation and success is built.
“Security crosses over with all aspects of what we do. As a provider of secure products, services and IoT solutions, this means that we start from ourselves as a company. We have increased our resilience against cyber-attacks and we routinely keep up to date with growing threats so we can protect our IP and the IP of our partners and customers,” he comments.
“If we look at how this is reflected by the company, we work in a corporate security management structure, where we have one responsible person who is taking care of that and it is anchored by the executive committee.
“It then breaks out into teams that oversee various subjects such as IT security, product security, site security of premises, and supply chain security where we interact with suppliers and external partners in production to make sure there is no compromise of the supply chain and products.”
In that spirit of security-first thinking, u-blox recently sought to ‘redefine IoT security’ with the launch of a 5G-ready cellular module and chipset for low-power, wide-area IoT applications.
The module, built on the u‑blox UBX‑R5 cellular chipset and the u‑blox M8 GNSS receiver chip, offers what the company claims is “unmatched” end‑to‑end security and long product availability, making it ideal for IoT applications with long‑term device deployments.
The module also features a lightweight and low power pre‑shared key management system that is tailored to the needs of IoT applications, along with a comprehensive set of security features.
“This is the first model that is built around our own chipset, and on the module, we’ve integrated a ‘hardware-based hood of trust’, which is a specific piece of silicon which is our anchor point for attaching various security features so in the end it enables secure communication from end-to-end, from the edge to the cloud and backwards,” says Thiel.
“The pre-shared key management system is very important in ensuring connections are secure and efficient. We have a secure library in the module that offers various functions that are used on our own software but can also be made available to our customers.
“For example, you can imagine you want to secure some very sensitive data in the medical field; we can offer a secure vault where customers can store data that cannot be accessed without authorisation. In addition, it is not something that is static, we can update and add more features throughout the lifetime of the product that can be delivered to the customers.”
The launch, says Thiel, reflects the growing importance of industrial IoT. Rather than being a variant of a product developed for a mobile phone, the module has been purpose built for use in the industrial sector, specifically designed for robust longevity that u-blox believes is not represented by its competitors.
u-blox has worked hand-in-hand with the Kudelski Group during the development and roll-out of the module. Thiel says the partnership with the digital security specialist has been “hugely important”.
“Kudelski has a lot of experience in securing important assets on a grand scale, so it was very beneficial for us to work with a partner with a proven technology that can scale to very large volumes,” he adds.
“Security is all about trust, so having a partner with established credibility in the market has been a great help and has helped us begin to establish ourselves in this environment. We know that its solutions are of a very high standard and have been established in the market for many years.”
Working with clients from across various industry sectors, Thiel says that the company sees wide fluctuations in terms of IoT security awareness — from almost total unawareness to in-depth knowledge and expertise — although he says as a general trend, people are becoming more aware of the pitfalls and are eager to learn and absorb new information.
“Everything that is impacted by security finds itself in a race between attackers and defenders and IoT is no different”
“We typically see that every company has a security expert, but at some companies that thinking is not at the forefront of product development and definition. It means that it can take some time for the message about the importance of security in an IoT context to land,” he comments.
“But once we get into a positive dialogue, I think the customers appreciate that competence and are happy with a partner to help them assess where they stand, define the gaps and offer products that are sound and reliable.”
An analogy is drawn with the learning curve that came with personal computers, when it took time for people to realise that anti-virus software was important, and that money and time needed to be set aside to ensure systems were as secure as possible
“Now we are at a time where it’s an integral commodity and it is part of the operating system itself. It’s just there and it works,” says Thiel. “With IoT, people have to learn that the security aspect is really important and it’s not something that is for free. The industry has to adapt the solutions and support them because security is limited by how often you can update it.
“Our customers have to think about how they want to update in the field, so there are a lot of new elements about how these end-to-end, machine learning communications have worked and how they will work moving forwards. One of our biggest challenges is to help our customers through this learning curve, but I’m sure we can do this successfully.
“Everything that is impacted by security finds itself in a race between attackers and defenders and IoT is no different. The most important thing is that security isn’t a static feature; we have to continually develop, analyse and innovate so we can improve and react to new methods of attack.”