LoRaWAN and NIS2 Directive Compliance?

The expansion of the Internet of Things (IoT) has brought technologies like LoRaWAN to the forefront of innovation. LoRaWAN has been marketed as the LPWAN technology that will reach further and be the best option to get your sensors connected. However, we are living in an era of increased threats from attacks, and cyber security is on almost everyones lips. The rigorous demands of the EU’s NIS2 Directive pose significant challenges and raises questions for many IoT-technologies.

LoRaWAN’s security framework

More than a year ago I published an extensive article about LoRaWAN from the security aspect. And this autumn I started to delve into NIS2 and LoRaWAN.

A quick recap. LoRaWAN’s version 1.1 introduces enhanced security features such as AES-128 encryption and dual session keys, which seemingly seems to align with the NIS2 Directive’s security protocols. But I have also found other reports, like this one, RISE Research Institutes of Sweden raises concerns about potential vulnerabilities, especially against advanced cyber threats. This calls for a critical examination of LoRaWAN’s robustness of its security architecture.

NIS2 -elevating cybersecurity

The NIS2 Directive demands prompt incident reporting and necessitates comprehensive risk management practices across various sectors. It’s broad scope and stringent requirements challenge IoT technologies like LoRaWAN to demonstrate security resilience and adaptability levels. In my earlier post, I raised concerns about over-the-air updates of firmware and the lack of a dedicated spectrum. Both these possess challenges.

While LoRaWAN lays a solid foundation for secure communications, RISE underscores concerns regarding LoRaWAN’s dependence on the free spectrum. This dependency raises significant questions about transmission control and reliability, which are crucial under the stringent regulations of the NIS2 Directive. The inherent variability of free spectrum usage might lead to challenges in ensuring consistent service quality and maintaining the security integrity demanded by the Directive. And to be honest, that is my conclusion, too.

Industry confidence vs. research prudence:

The optimistic views of industry players about LoRaWAN’s security capabilities contrast with the more cautious assessments from research bodies like RISE. This contrast highlights the need for a continuous and collaborative effort to enhance LoRaWAN’s security measures, ensuring they are not just compliant but also resilient against future threats. But even if the security standards are met, we have to talk about the elephant in the room, the frequency aspect. An in-depth look at LoRaWAN’s security reveals complex mechanisms like dynamic key allocation, advanced encryption techniques, and countermeasures against common attack vectors. However, RISE points out that with the increasing sophistication of cyber threats, these mechanisms need constant updates and stress-testing against emerging vulnerabilities.

And this is my other problem with many LoRaWAN devices. Ask yourself, have you recently updated any of the electronic devices in your possessions with a security patch? If you say no, you are advocating LoRaWAN to the point that you are in denial. Then, the follow-up question: can your LoRaWAN device update its firmware over the air? Most of them can not. Will you likely have to update your LoRaWAN device in the future, throughout its lifespan, with a security patch? I believe so, considering battery life is expected to be 10-20 years at some point an update will be necessary.

Conclusion:

RISE concludes that in a city network LoRaWAN can be used when:

  • Measurement data is not critical to the operation.
  • Time intervals for data collection are longer than 10 min.
  • Other connectivity technologies are not available or economically justifiable.
  • Long battery life in battery-powered sensors is desirable.
  • The organisation can implement alternative methods for updating sensor software.

Another conclusion is that mobile networks also offer better possibilities for setting requirements for SLA levels and quality.

As LoRaWAN progresses towards NIS2 Directive compliance, it faces a critical period of evaluation and enhancement. Stakeholders must embrace a proactive, adaptive security approach, integrating diverse expert perspectives, especially from leading research institutions like RISE. This comprehensive strategy is essential for LoRaWAN to secure its place as a reliable and compliant technology in the evolving cybersecurity domain.