1

• The Role of the Mobile Industry

Building Trust into the IoTThe Role of the Mobile Industry

Mona MustaphaIoT Technical Specialist

ETSI IoT Week 2019

gsma.com/iotsecurity

Regulatory Push for IoT Security – Applying Pressure to Developers

2

IoT Security Guidelines and Assessment

SECURITY PRINCIPLES

IoT SECURITYGUIDELINES

DETAILED CONTROLSTATEMENTS

Security by DesignPrivacy by DesignEnd to EndAcross the lifetimeEvaluate Technical Model

Review Security ModelAssign Security TasksReview Component RiskImplementationOngoing Lifecycle

IoT SECURITYGUIDELINESFOR SERVICEECOSYSTEMS

IoT SECURITYGUIDELINESFOR ENDPOINTECOSYSTEMS

IoT SECURITYGUIDELINESFOR NETWORKOPERATORS

IoT SECURITYASSESSMENT

Available in:

gsma.com/iotsecurity

Referenced By:

3

Over 200 pages of advice and best practice to secure devices, service platforms and networks

85 detailed recommendations

3 ‘worked’ examples –wearables, personal drone, automotive

Risk and privacy impact assessments

12IoT Security Assessment checklist

principalattack models

IoT Security Guidelines

Supported by:

gsma.com/iotsecurity 4

Worked Examples

• The guidelines contain three worked examples to demonstrate how to use the guidelines• Shows how generic guidelines can be applied to a multitude of different IoT services

because most IoT services are build from the same components• The worked examples cover both the front-end ‘devices’ and back-end ‘service platforms’

gsma.com/iotsecurity 5

Example Recommendation: Trusted Computing Base

6gsma.com/iotsecurity

Secure Hardware Element

Secure Identity

Cryptographic FunctionsCredentials

TrustAnchor

Example Recommendation: Trusted Computing Base

7gsma.com/iotsecurity

Secure Hardware Element

Secure Identity

Cryptographic FunctionsCredentials

TrustAnchor

Example Recommendation: Trusted Computing Base

8gsma.com/iotsecurity

Secure Hardware Element

Secure Identity

Cryptographic FunctionsCredentials

TrustAnchor

Example Recommendation: Trusted Computing Base

9gsma.com/iotsecurity

Leveraging the SIM to Secure IoT Services

10www.gsma.com/iot/case-study-sim-secure-iot-services/

Secure provisioning and storage of a PKI certificate on a SIM card in a smart meter.

SIM-based solution to update the passcodes on smart meters once they have been deployed in the field.

Use of SIM cards to authenticate smart watches and other IoT devices.

Use of SIM to securely provision an IoT device’s identity and credentials for secure authentication to cloud platforms.

Mobile network operators use SIM Cards to authenticate devices accessing their networks and services. SIM cards can also support additional security capabilities that can be harnessed by Internet of Things (IoT) applications.

The case study shows how mobile operators in the Americas, Asia and Europe are developing and deploying SIM-based IoT security services to support their IoT customers.

Four mini-case studies in one document:

Title: Using the SIM as a ‘Root of Trust’ to Secure IoT Applications.Description: Develop common approaches to leverage SIM security capability for IoT

solutions providers.

What is the need?

Define solutions that let IoT developers leverage standards based SIM security capabilities - taking the concept of using the SIM to secure IoT services one step closer to commercialisation.

What will be done?

The deliverable will define common ways for IoT services to use the capabilities of the SIM to enhance the security of commonly used internet protocols (e.g.D/TLS).

Who:How:

Developed and documented by a group of technical experts from (amongst others) network operators, SIM vendors, module vendors and cloud solution providers.

When: To be published in Q4, 2019

GSMA Focus Area

11

IoT Server Application

IoT Device Middleware

IoT Security Applet

IoT Client Application

IoT Security Service

IoT

Dev

ice

OEM

IoT

Serv

ice

Prov

ider

IoT Server Middleware

IoT

Appl

et O

wne

r

Serv

er /

Clo

ud

In one solution we use an IoT Security Applet to:

• Enable the IoT device to securely perform mutual (D)TLS authentication to a server using asymmetric and symmetric security schemes.

• Enable the IoT device to compute shared secrets and keep long term keys secret.

• Enable credential life cycle management from a IoT Security Service.

Note: IoT Security Applet shall only use APIs defined by JavaCard, GlobalPlatform and ETSI 102 241.

Example - Using IoT Security Applet

12

How To Assess Your Solution or Your Suppliers:

• Organisational Procedures

• Service Platform Security

• Communications Security

• Device Security

gsma.com/iotsecurity

Using: GSMA IoT Security Assessment

13

gsma.com/iotsecurity

Don’t have the resources/knowledge to complete an GSMA IoT Security assessment? Then use the services of a security expert, some examples being:

GSMA IoT Security Assessment – Backed by Security Experts

14

Mobile IoT Security Report

Security Features of LTE-M & NB-IoT Networks

• Highlights the security enabling features and services LTE-M and NB-IoT networks with the purpose of:

• Explaining how LTE-M & NB-IoT networks are “Secure by Design”• Raising awareness and usage of the security features and

services provided by mobile operators• Driving awareness of the security services and features of Mobile

IoT networks within mobile operators who have yet not deployed the features

• Providing an example of how IoT network security can be promoted by mobile operators to differentiate themselves form other network technologies

Report: www.gsma.com/iot/resources/security-features-of-ltem-nbiot/Accompanying Blog: www.gsma.com/iot/news/how-secure-by-design-mobile-iot-networks-are-protecting-the-iot/

15

The image part with relationship ID rId7 was not found in the file.

16

FIND OUT MORE: gsma.com/iotsecurity

GET IN TOUCH: iot@gsma.com

IoT SECURITY