As IoT becomes a massive market composed of billions of connections securing it involves an enormous and continuously growing threat surface and raised stakes. Consequences extend far beyond initial breaches to what is done with stolen data and the reputational damage that is caused.
Research by security specialist, Kaspersky, has uncovered that more than 1.5 billion attacks have occurred against IoT devices in the first six months of 2021. The firm’s telemetry data, which it draws from its honeypots that collect attack information, has shown that cyberattacks on IoT devices have increased by more than 100% since the previous half-year. The IoT industry is trying to be proactive and put security in place from the very start of deployments because it is well understood that the promise of IoT won’t be achieved if trust is lost. IoT relies on users putting their data, hardware and processes in its hands in order to provide improved experiences, greater revenue and enhanced efficiency. If it is perceived as insecure, adoption will be slower and more cautious, with innovation correspondingly delayed.
“It is vital for the trustworthiness of the Internet of Things (IoT) that we take a secure-by-design approach by properly protecting and processing the credentials used to secure data exchange between the IoT device and the cloud,” Ian Pannell, the chief engineer at GSMA, has said. “Otherwise, enterprises will not be able to rely on the quality, accuracy or integrity of the data being collected, rendering it useless or even worse, dangerous.”
Alongside secure by design principles, one of the most important IoT security initiatives is improvements to the security of the connected device. Harnessing the security inherent in the secure element is an obvious answer, as is utilising the capabilities of the SIM, as it is mandated for achieving best in class authentication to the cellular networks.. However, all the while the SIM was a removable component, an IoT device manufacturer or deployer couldn’t rely on it being able to support additional features to achieve securing their IoT network and communications from the device to the IoT data aggregator or manager.
The arrival of the embedded SIM (eSIM) and integrated SIM (iSIM) solved this dependency by allowing additional security to be included and enabled in the SIM and then manufactured as a permanent fixed capability of the device for its life. This then ensures it is secure in operation once it automatically configures the connection at the point of deployment.
The IoT SAFE (IoT SIM Applet For Secure End-to-End Communication) has been developed by the mobile industry at GSMA to provide a common mechanism to secure IoT data communications, offering a repeatable and scalable approach on all types of SIM for original equipment manufacturers (OEMs). IoT SAFE uses the SIM as a miniature crypto-safe inside the device to securely establish a datagram transport layer security (D)TLS session with a corresponding application cloud or server. It provides a common application programme interface (API) for the SIM to be used as a root of trust by IoT devices and, in this way, can address the security challenge of provisioning millions of devices. The applet enables IoT devices to compute shared secrets and keep long-term keys secret and supports provisioning and credential management from a remote IoT security service.
However, improvements are needed in ease of deployment to encourage adoption of IoT SAFE. To achieve this, Kigen has created the Open IoT SAFE initiative by combining GSMA IoT SAFE with the IETF’s (Internet Engineering Task Force) Enrolment over Secure Transport publication (RFC 7030). This brings together two important principles:
- The use of the standard DTLS-secured IP channel, with the credentials securely injected into the device at the point of manufacture. This is used to establish a secure interface, over a device’s connectivity, to communicate with the cloud’s on-boarding service.
- The use of on-board key generation directly inside the device which remain in the secure, tamper-resistant element.
These principles eliminate complexity and effort by each party that wants to use the service and ensure that any device should be able to exchange any data across any network and securely exchange that data with a given enterprise on any cloud.
Security adoption stands or falls on the ease with which it can be deployed, managed and updated. Kigen’s Open IoT SAFE initiative offers simple, unified zero touch provisioning. This lowers the barriers to access hardware-based security for more effectively protecting credentials, with the use of open systems based on standards that do not demand complex integration. In addition, the initiative treats enterprise security credentials with the same level of protection as mobile network authentication credentials, bringing communications industry grade security to IoT.