Post on 30-May-2020
1
• The Role of the Mobile Industry
Building Trust into the IoTThe Role of the Mobile Industry
Mona MustaphaIoT Technical Specialist
ETSI IoT Week 2019
gsma.com/iotsecurity
Regulatory Push for IoT Security – Applying Pressure to Developers
2
IoT Security Guidelines and Assessment
SECURITY PRINCIPLES
IoT SECURITYGUIDELINES
DETAILED CONTROLSTATEMENTS
Security by DesignPrivacy by DesignEnd to EndAcross the lifetimeEvaluate Technical Model
Review Security ModelAssign Security TasksReview Component RiskImplementationOngoing Lifecycle
IoT SECURITYGUIDELINESFOR SERVICEECOSYSTEMS
IoT SECURITYGUIDELINESFOR ENDPOINTECOSYSTEMS
IoT SECURITYGUIDELINESFOR NETWORKOPERATORS
IoT SECURITYASSESSMENT
Available in:
gsma.com/iotsecurity
Referenced By:
3
Over 200 pages of advice and best practice to secure devices, service platforms and networks
85 detailed recommendations
3 ‘worked’ examples –wearables, personal drone, automotive
Risk and privacy impact assessments
12IoT Security Assessment checklist
principalattack models
IoT Security Guidelines
Supported by:
gsma.com/iotsecurity 4
Worked Examples
• The guidelines contain three worked examples to demonstrate how to use the guidelines• Shows how generic guidelines can be applied to a multitude of different IoT services
because most IoT services are build from the same components• The worked examples cover both the front-end ‘devices’ and back-end ‘service platforms’
gsma.com/iotsecurity 5
Example Recommendation: Trusted Computing Base
6gsma.com/iotsecurity
Secure Hardware Element
Secure Identity
Cryptographic FunctionsCredentials
TrustAnchor
Example Recommendation: Trusted Computing Base
7gsma.com/iotsecurity
Secure Hardware Element
Secure Identity
Cryptographic FunctionsCredentials
TrustAnchor
Example Recommendation: Trusted Computing Base
8gsma.com/iotsecurity
Secure Hardware Element
Secure Identity
Cryptographic FunctionsCredentials
TrustAnchor
Example Recommendation: Trusted Computing Base
9gsma.com/iotsecurity
Leveraging the SIM to Secure IoT Services
10www.gsma.com/iot/case-study-sim-secure-iot-services/
Secure provisioning and storage of a PKI certificate on a SIM card in a smart meter.
SIM-based solution to update the passcodes on smart meters once they have been deployed in the field.
Use of SIM cards to authenticate smart watches and other IoT devices.
Use of SIM to securely provision an IoT device’s identity and credentials for secure authentication to cloud platforms.
Mobile network operators use SIM Cards to authenticate devices accessing their networks and services. SIM cards can also support additional security capabilities that can be harnessed by Internet of Things (IoT) applications.
The case study shows how mobile operators in the Americas, Asia and Europe are developing and deploying SIM-based IoT security services to support their IoT customers.
Four mini-case studies in one document:
Title: Using the SIM as a ‘Root of Trust’ to Secure IoT Applications.Description: Develop common approaches to leverage SIM security capability for IoT
solutions providers.
What is the need?
Define solutions that let IoT developers leverage standards based SIM security capabilities - taking the concept of using the SIM to secure IoT services one step closer to commercialisation.
What will be done?
The deliverable will define common ways for IoT services to use the capabilities of the SIM to enhance the security of commonly used internet protocols (e.g.D/TLS).
Who:How:
Developed and documented by a group of technical experts from (amongst others) network operators, SIM vendors, module vendors and cloud solution providers.
When: To be published in Q4, 2019
GSMA Focus Area
11
IoT Server Application
IoT Device Middleware
IoT Security Applet
IoT Client Application
IoT Security Service
IoT
Dev
ice
OEM
IoT
Serv
ice
Prov
ider
IoT Server Middleware
IoT
Appl
et O
wne
r
Serv
er /
Clo
ud
In one solution we use an IoT Security Applet to:
• Enable the IoT device to securely perform mutual (D)TLS authentication to a server using asymmetric and symmetric security schemes.
• Enable the IoT device to compute shared secrets and keep long term keys secret.
• Enable credential life cycle management from a IoT Security Service.
Note: IoT Security Applet shall only use APIs defined by JavaCard, GlobalPlatform and ETSI 102 241.
Example - Using IoT Security Applet
12
How To Assess Your Solution or Your Suppliers:
• Organisational Procedures
• Service Platform Security
• Communications Security
• Device Security
gsma.com/iotsecurity
Using: GSMA IoT Security Assessment
13
gsma.com/iotsecurity
Don’t have the resources/knowledge to complete an GSMA IoT Security assessment? Then use the services of a security expert, some examples being:
GSMA IoT Security Assessment – Backed by Security Experts
14
Mobile IoT Security Report
Security Features of LTE-M & NB-IoT Networks
• Highlights the security enabling features and services LTE-M and NB-IoT networks with the purpose of:
• Explaining how LTE-M & NB-IoT networks are “Secure by Design”• Raising awareness and usage of the security features and
services provided by mobile operators• Driving awareness of the security services and features of Mobile
IoT networks within mobile operators who have yet not deployed the features
• Providing an example of how IoT network security can be promoted by mobile operators to differentiate themselves form other network technologies
Report: www.gsma.com/iot/resources/security-features-of-ltem-nbiot/Accompanying Blog: www.gsma.com/iot/news/how-secure-by-design-mobile-iot-networks-are-protecting-the-iot/
15
The image part with relationship ID rId7 was not found in the file.
16
FIND OUT MORE: gsma.com/iotsecurity
GET IN TOUCH: iot@gsma.com
IoT SECURITY